Proj0044: Enable <RestoreLockedMode> when <ContinuousIntegrationBuild> is enabled
In order to ensure dotnet restore
is not allowed to implicitly upgrade package versions that are
specified in the lock file, it is necessary to enable “locked mode”.
The recommended way
of enabling locked mode is to conditionally set the RestoreLockedMode
property to true
,
if the ContinuousIntegrationBuild
property is set to true
. This is under the assumption that
there is a dynamic way in place that ensures ContinuousIntegrationBuild
is set to true
in CI pipelines.
See also:
- https://devblogs.microsoft.com/dotnet/enable-repeatable-package-restores-using-a-lock-file/
- https://www.meziantou.net/faster-and-safer-nuget-restore-using-source-mapping-and-lock-files.htm
When to disable this rule
This rule can be safely disabled if there is any configuration in place to ensure locked
mode when restoring dependencies (such as through using --locked-mode
or /p:RestoreLockedMode=true
)
in build pipeline scripts.
Non-compliant
<Project Sdk="Microsoft.NET.Sdk">
<PropertyGroup>
<TargetFramework>net8.0</TargetFramework>
<RestorePackagesWithLockFile>true</RestorePackagesWithLockFile>
</PropertyGroup>
</Project>
Compliant
<Project Sdk="Microsoft.NET.Sdk">
<PropertyGroup>
<TargetFramework>net8.0</TargetFramework>
<RestorePackagesWithLockFile>true</RestorePackagesWithLockFile>
<RestoreLockedMode Condition="'$(ContinuousIntegrationBuild)' == 'true'">true</RestoreLockedMode>
</PropertyGroup>
</Project>
Or:
<Project Sdk="Microsoft.NET.Sdk">
<PropertyGroup>
<TargetFramework>net8.0</TargetFramework>
<RestorePackagesWithLockFile>true</RestorePackagesWithLockFile>
</PropertyGroup>
<PropertyGroup Condition="'$(ContinuousIntegrationBuild)' == 'true'">
<RestoreLockedMode>true</RestoreLockedMode>
</PropertyGroup>
</Project>
Or:
<Project Sdk="Microsoft.NET.Sdk">
<PropertyGroup>
<TargetFramework>net8.0</TargetFramework>
<RestorePackagesWithLockFile>false</RestorePackagesWithLockFile>
</PropertyGroup>
</Project>