Ender2050 Ender2050 - 2 months ago 25
ASP.NET (C#) Question

Should project.lock.json file be checked into source control? (ASP.NET Core 1.0)

Using ASP.NET Core 1.0, is it best practice to check in the project.lock.json file into source control?

Answer

Short answer: No, project.lock.file should not be checked into source control - you should configure the version control system to ignore it (i.e. add it to .gitignore if you're using git).

Long answer: The project.lock.json contains a snapshot of project's whole dependency tree - not just packages listed in "dependencies" sections, but also all resolved dependencies of those dependencies, and so on. But it is not like ruby's Gemfile.lock. Unlike Gemfile.lock, project.lock.json doesn't tell dotnet restore which exact versions of packages should be restored - it simply gets overwritten. As such, it should be treated like a cache file and never be checked into source control.

If you check it into version control, then most probably on other machine:

  • dotnet will think that all packages are restored, but in fact some packages might be missing and the build will fail, without hinting the developer to run dotnet restore
  • project.lock.json will be overwritten during dotnet restore and in most cases will be different than the version stored in source control. So it will be modified in almost every commit
  • project.lock.json will cause conflicts during merge