35

Consider a .NET Core application (A), which references a third-party nuget package (B) using the PackageReference model. Package B has it's own dependency on another package (C):

A -> B -> C

Package B declares a dependency on C with a version constraint of >= 1.0.0. A has no compile-time usages of C and does not reference it directly - C is a transitive run-time dependency.

However, version 1.0.0 of package C (which is picked up by the build) has a bug in it. The bug has been fixed in a more recent version, released to nuget with an incremented minor-version (e.g. v1.1.0).

By default, my build doesn't pick up this latest version. I believe this is due to the 'Lowest applicable version' rule, described here: https://learn.microsoft.com/en-us/nuget/concepts/dependency-resolution#dependency-resolution-rules

What is the recommended approach for forcing the build to pick up the bug-fix 1.1.0 version of package C?

One solution is to explicitly reference the 1.1.0 version of package C from A. However, this feels like I'm breaking encapsulation, as A shouldn't need to know anything about C.

Ideally, the author of package B would update their dependency on C to use the newer version, but I don't have any control over this package.

I also tried using a Directory.Build.props file at the root of the solution, to try and force the version to be updated across the whole solution:

  <ItemGroup>
    <PackageReference Update="SomePackage.C" Version="1.1.0" />
  </ItemGroup>

...but this doesn't work (I assume the 'lowest applicable version' rule still applies). It does work if you use Include instead of Update, but that simply installs the package into all the projects in the solution.

I'd like to be able to supply some 'policy' to the build process, to force the updated version to be picked up, but I've not found a way to do this.

Note: my actual example is more complex than the one outlined here. Both B and C are widely-used Microsoft ASP.NET packages, and C appears in dozens of places in the dependency graph (my own application never references that code directly).

Chris Brook
  • 2,335
  • 20
  • 24
  • Have you tried [lock files](https://devblogs.microsoft.com/nuget/enable-repeatable-package-restores-using-a-lock-file/)? – Bohdan Stupak Dec 03 '19 at 10:41

1 Answers1

1

The best way to force an update of a transitive Nuget package dependency is to update the directly referenced package to a newer version that includes the updated transitive dependency

  • Open the Package Manager Console in Visual Studio. You can do this by going to Tools > NuGet Package Manager > Package Manager Console.
  • Run the command Update-Package -Version . For example, if the directly referenced package is Newtonsoft.Json, the command would be Update-Package Newtonsoft.Json -Version 12.0.3. This will update the directly referenced package and also update any transitive dependencies.
  • Check your project to see if the transitive dependency has been updated. You can do this by going to Solution Explorer and expanding the References folder.

If the package still doesn't update, try deleting the packages folder in your solution and then run the Update-Package command again. This will force NuGet to download the latest versions of all the packages and their dependencies.

In some cases, you may also need to update the project file (.csproj) to include the latest version of the dependency.

Arsalan Ahmad
  • 31
  • 1
  • 2