search

samhowes / rules_msbuild

Build .csproj files with Bazel
Apache License 2.0
6 stars 3 forks source link

Using Host packages with NuGet allows access to undeclared dependencies #170

Open samhowes opened 2 years ago

samhowes commented 2 years ago

If UseHost is true for nuget_fetch, then nuget restore will have access to packages even if they are not explicitly declared as bazel dependencies.

This means that if a nuget package exists on the host machine, but is not declared as a bazel dependency, then the build will succeed on that machine, but could fail on other machines that haven't previously used that package.

i.e.

A.csproj => CommandLineParser/2.9.0-preview1
B.csproj => CommandLineParser/2.8.0

nuget_fetch(
    name = "nuget",
    packages = {
        "CommandLineParser/2.9.0-preview1": ["netcoreapp3.1"],
    },
    use_host = True,
)

On machines that have downloaded 2.8.0, the build will succeed. On machines that haven't downloaded 2.8.0, the build will not succeed.

This is due to deps being listed simply as "@nuget//CommandLineParser" without listing the version.