NuGet restores are not necessarily repeatable due to configuration differences or updated package versions with floating versions (there is an excellent blog post here).
It would be great if this tool could accept packages.lock.json files as input for generating BOMs. This would allow for:
Repeatable BOM generation against locked build configurations
BOM generation from packages.lock.json even if source code was not available (perhaps in a later stage of a build pipeline, for example)
NuGet restores are not necessarily repeatable due to configuration differences or updated package versions with floating versions (there is an excellent blog post here).
It would be great if this tool could accept packages.lock.json files as input for generating BOMs. This would allow for:
I will try to work on this if I find some time 👍🏻
Example packages.lock.json file: