Open nkolev92 opened 5 years ago
A bit of background:
The packages.lock.json model has 3 types of dependencies.
Now a few things that cannot be understood from the lock file:
Relevant: https://github.com/NuGet/NuGet.Client/pull/2701/files#diff-4f61fe90f26719aa002d997eb1a92576
"NuGet.Packaging": {
"type": "Project",
"dependencies": {
"Newtonsoft.Json": "9.0.1",
"NuGet.Configuration": "5.0.0-preview3",
"NuGet.Versioning": "5.0.0-preview3"
}
},
Now after fixing a few bugs with the evaluation:
https://github.com/NuGet/Home/issues/7889 https://github.com/NuGet/Home/issues/7930 https://github.com/NuGet/Home/issues/8019
We now have the lock file up to date check verify that the project reference graph is the same. However it does not verify the project versions.
The reason for this is because if we tried validating the versions, it would fail every CI build in locked mode. We recommend that every build creates package with a different version, so even our CI would fail with this.
tl;dr;
The version for projects listed in the dependencies section is useless. Furthermore it's very easy for it to get out of date. You could be building a
Removing it would require potentially changing the model of the lock file is written. I can investigate if re-moving it is a no-op. Unsure if this breaks any existing code if the file is not written with a project version. I can investigate more if we think removing them is the right approach.
I don't expect any issues if we were to fix this in 5.2 though. If it breaks the model, we increment the file version. If it doesn't break the model, switching between versions could create noise, but eventually it should disappear.
Safe to say, this won't make it in 5.1. :)
Currently if you have a transitive projects, the transitive project will have a requested version for the project. This would mean every project version change will require a lock file regeneration.
//cc @anangaur @joelverhagen @zivkan @dominoFire @rrelyea