| name | dependency-management |
| description | Manage project dependencies securely with lock files, version pinning, security audits, and update strategies for NuGet, npm, and pip. |
Dependency Management
Purpose: Manage project dependencies securely and reliably.
C# / .NET
.csproj (SDK-style)
<Project Sdk="Microsoft.NET.Sdk">
<PropertyGroup>
<TargetFramework>net8.0</TargetFramework>
<Nullable>enable</Nullable>
<LangVersion>latest</LangVersion>
</PropertyGroup>
<ItemGroup>
<PackageReference Include="Microsoft.AspNetCore.App" Version="8.0.0" />
<PackageReference Include="Microsoft.EntityFrameworkCore" Version="8.0.0" />
<PackageReference Include="Newtonsoft.Json" Version="13.0.3" />
<PackageReference Include="Serilog" Version="[3.1.1]" />
<PackageReference Include="AutoMapper" Version="12.*" />
</ItemGroup>
<ItemGroup Condition="'$(Configuration)' == 'Debug'">
<PackageReference Include="xunit" Version="2.6.6" />
<PackageReference Include="Moq" Version="4.20.70" />
<PackageReference Include="coverlet.collector" Version="6.0.0" />
</ItemGroup>
</Project>
Central Package Management (Directory.Packages.props)
<Project>
<PropertyGroup>
<ManagePackageVersionsCentrally>true</ManagePackageVersionsCentrally>
</PropertyGroup>
<ItemGroup>
<PackageVersion Include="Microsoft.EntityFrameworkCore" Version="8.0.0" />
<PackageVersion Include="Serilog" Version="3.1.1" />
<PackageVersion Include="AutoMapper" Version="12.0.1" />
<PackageVersion Include="xunit" Version="2.6.6" />
<PackageVersion Include="Moq" Version="4.20.70" />
</ItemGroup>
</Project>
Package Reference in .csproj with Central Management
<Project Sdk="Microsoft.NET.Sdk">
<PropertyGroup>
<TargetFramework>net8.0</TargetFramework>
</PropertyGroup>
<ItemGroup>
<PackageReference Include="Microsoft.EntityFrameworkCore" />
<PackageReference Include="Serilog" />
<PackageReference Include="AutoMapper" />
</ItemGroup>
</Project>
NuGet Package Management
dotnet restore
Version Specifications
<PackageReference Include="Serilog" Version="[3.1.1]" />
<PackageReference Include="Serilog" Version="3.1.1" />
<PackageReference Include="Serilog" Version="[3.1.1, 4.0.0)" />
<PackageReference Include="Serilog" Version="3.1.*" />
<PackageReference Include="Serilog" Version="3.*" />
Security Audits
dotnet list package --vulnerable
dotnet list package --vulnerable --include-transitive
dotnet add package <PackageName> --version <SafeVersion>
Dependabot Configuration (.github/dependabot.yml)
version: 2
updates:
- package-ecosystem: "nuget"
directory: "/"
schedule:
interval: "weekly"
open-pull-requests-limit: 10
target-branch: "main"
Package Lock Files
<PropertyGroup>
<RestorePackagesWithLockFile>true</RestorePackagesWithLockFile>
<DisableImplicitNuGetFallbackFolder>true</DisableImplicitNuGetFallbackFolder>
</PropertyGroup>
dotnet restore --locked-mode
Global Tools
dotnet tool install -g dotnet-ef
dotnet tool update -g dotnet-ef
dotnet tool list -g
dotnet tool uninstall -g dotnet-ef
Best Practices
- Use exact versions
[x.y.z] in production for stability
- Enable Central Package Management for multi-project solutions
- Use
packages.lock.json for deterministic builds
- Regularly check for vulnerable packages with
dotnet list package --vulnerable
- Separate test dependencies using Conditions
- Use Dependabot or Renovate for automated updates
- Keep .NET SDK and runtime versions aligned
- Document package purposes in comments
- Review package licenses before adoption
- Prefer official Microsoft packages when available
NuGet.config for Private Feeds
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<packageSources>
<clear />
<add key="nuget.org" value="https://api.nuget.org/v3/index.json" />
<add key="MyCompanyFeed" value="https://pkgs.dev.azure.com/mycompany/_packaging/myfeed/nuget/v3/index.json" />
</packageSources>
<packageSourceCredentials>
<MyCompanyFeed>
<add key="Username" value="%AZURE_DEVOPS_USERNAME%" />
<add key="ClearTextPassword" value="%AZURE_DEVOPS_PAT%" />
</MyCompanyFeed>
</packageSourceCredentials>
</configuration>
Related Skills:
