asp.net


Should project.lock.json file be checked into source control? (ASP.NET Core 1.0)


Using ASP.NET Core 1.0, is it best practice to check in the project.lock.json file into source control?
Short answer: No, project.lock.file should not be checked into source control - you should configure the version control system to ignore it (i.e. add it to .gitignore if you're using git).
Long answer: The project.lock.json contains a snapshot of project's whole dependency tree - not just packages listed in "dependencies" sections, but also all resolved dependencies of those dependencies, and so on. But it is not like ruby's Gemfile.lock. Unlike Gemfile.lock, project.lock.json doesn't tell dotnet restore which exact versions of packages should be restored - it simply gets overwritten. As such, it should be treated like a cache file and never be checked into source control.
If you check it into version control, then most probably on other machine:
dotnet will think that all packages are restored, but in fact some packages might be missing and the build will fail, without hinting the developer to run dotnet restore
project.lock.json will be overwritten during dotnet restore and in most cases will be different than the version stored in source control. So it will be modified in almost every commit
project.lock.json will cause conflicts during merge
No, it is just a lock file, really you should never check it in when a lock file exists (except if the program who locked it wants to check it into source control, in that case, exclude your lock file!).
Actually you do want to commit your project.lock.json in git sometimes.
Checking your project json
For the exact reasons that, it shows you the dependencies you have used. Say:
Me as a developer works on an application, i hate every time updating packages so i add a package dependency to nuget package X = 1.*
I restore package i get version 1.2.4
The package maker just made a very stupid mistake, he broke something while just trying to make a fix and release 1.2.5
Person 2 checks out (or even worse release build kicks in).
Person 2 restores and gets version 1.2.5
Person 2 runs your application and find the application is broken.
Person 2 starts debugging and thinks there must be a bug in the software.
At this step 7 Person 2 could have seen in git that his lock file was changed and a newer version of a library has been downloaded, Which has not been tested by any of the other developers!
Downsides
Downsides of checking in this file is you might get allot of merge conflicts on continues updates of packages.
Alternative solution
Use only hard version dependencies (this is quite hard though for nuget). And only manually update to newer version once in a while.
Downsides
This doesn't work if you build a library for other people to use, since you pin them to a certain version of your dependencies.
Dependencies of dependencies still get resolved automatically so if you don't specify them yourself you can't guarantee there version on dotnet restore
Conclusion
If you want to avoid 'Works on my machine' quotes and the hell of constantly manually updating to newer version: Checking the project.lock.json.
And also build a CI/Release build check to test if this file wasn't changed compared to git, before you release (If your software is very critical)!
If this is not a problem and also automatically updating (to a potentially broken package) is not a big problem, you might not want to commit your project.lock.json.

Related Links

How to create a WIX installation for ASP.NET WebSites?
Does output cache in ASP.net takes the fragment into consideration
Different output cache timeout for different usercontrols
asp.net: what's the page life cycle order of a control/page compared to a user contorl inside it?
Adding classic code behind asp.net page to asp.net mvc 3
Asp.Net difference between doPostBack & DoPostBackWithOptions
Visualize the traces written after or before a page cyclelife in asp.net
RAD Editor Dialogs Failing with UrlRewritingNet (Telerik KB Article: “Web.config registration missing!” not helpful)
How to apply stylesheet in our user control
how to collect json data in asp.net web page
How to resolve error while implementing DES encrypt/decrypt in asp.net?
URL link in SQL DIRECT
How to create an RSS feed in ASP.NET 3.5?
Using Web.Config Active Directory Connection String
Compiler Error Message: CS0433: The type 'MasterPage' exists in both 'c:\~\App_Web_ogmril5q.DLL' and 'c:\~\App_Web_ogmril5q.DLL'
how to insert data in to grid view using asp.net without database

Categories

HOME
asterisk
ssms
indexing
algolia
netty
primefaces
sdk
checkpoint
aggregate-functions
gnuradio
sahi
jpql
core-data
distinct
jetbrains
oxid
element
dompdf
versioning
spring-webflow
inline-assembly
grunt-contrib-uglify
emr
restangular
blockly
circle
microstrategy
android-scrollview
http-proxy
odp.net
maven-2
abide
jslider
aspose.pdf
tapply
pyexcel
colorbox
servicebus
opos
import.io
perldoc
xamarin-test-cloud
zedgraph
suitesparse
directinput
android-tabs
zsh-completion
strtol
init
jmh
jmap
factorization
alchemy
cascading
database-project
syncano
page-refresh
grails-3.0.9
backtrace
clearcanvas
yosemite
powershell-v1.0
agent-based-modeling
disparity-mapping
parallel-port
angular-file-upload
sendy
new-operator
html5-filesystem
facebook-java-api
php-amqplib
maven-javadoc-plugin
xcode5.1
nsnumber
playing-cards
usersettings
select2-rails
string-length
rbm
event-propagation
django-admin-tools
datasheet
unordered-set
openwrap
mass-emails
lgpl
focus-stealing
rpxnow
tracd

Resources

Encrypt Message