project.json specify exact version of NuGet dependency

Question

When using a packages.configfile to specify NuGet dependencies I'm able to provide the allowedVersions attribute to specify a SemVer string defining the range of versions I want to be able to update to. By using [] I'm currently able to effectively pin my package to a single version. Eg:

<?xml version="1.0" encoding="utf-8"?>
<packages>
  <package id="Common.Logging" version="3.3.0" allowedVersions="[3.3.0, 3.3.0]" />      
</packages>

Now that in .net core projects we have project.json to specify NuGet dependencies (however short lived it may be), how can I pin a NuGet dependency to a version such that dotnet restore doesn't update my application to a new version of one is available from my package source?

{
  "version": "1.0.0-*",
  "dependencies": {
    "NETStandard.Library": "1.6.0",
    "Newtonsoft.Json": "9.0.1" //how can i pin to 9.0.1 ??
  },
}

Figure #2 in this nuget documentation stronly implies this is possible, but doesn't provide the syntax to do it.

-- UPDATE --

I tested this with two .net core class libraries and my local file system as a package repository. I created a class library called UpdateMeDependencyLib and packaged it as v1.0.0, and I consumed it from a second project via nuget. Below is the project.json from the 2nd class library consuming UpdateMeDependencyLib

{
  "version": "1.0.0-*",

  "dependencies": {
    "NETStandard.Library": "1.6.0",
    "UpdateMeDependencyLib": "1.0.0"
  },

  "frameworks": {
    "netstandard1.6": {
      "imports": "dnxcore50"
    }
  }
}

I then updated UpdateMeDependencyLib to version 1.1.0 and repackaged, so there is now a v1.0.0 and a v1.1.0 nuget package on my local system. After creating v1.1.0 of UpdateMeDependencyLib I now get the following experience

• Compiling the project in Visual Studio (with no changes to consumer project.json) that consumes UpdateMeDependencyLib outputs v1.1.0 to its bin directory
  • If I force a package restore on the consumer library I now get a Nuget warning "NU1007 Dependency specified was UpdateMeDependencyLib >= 1.0.0 but ended up with UpdateMeDependencyLib 1.1.0"

So it would appear simply using "1.0.0" in my consuming library doesn't pin it and it will automatically get updated when a new version appears in my NuGet source.

Answer 1

To lock in a specific version, place the version number inside square brackets.

"UpdateMeDependencyLib": {
    "version": "[1.0.0]",
    "target": "package"
}

You will need to do a restore packages after updating.

Answer 2

You need to use the following notation for your ref

"UpdateMeDependencyLib": {
   "version": "1.0.0",
   "target": "package"
}

As the two projects are in the same solution, the system doesn't use your local package repo to resolve the dependency. It directly uses the project as reference. Because the reference 1.0.0 no longer exists in the solution, (and because "UpdateMeDeepencyLib": "1.0.0" means >= 1.0.0), it use the Nuget rule "Lowest applicable version" and resolve the dependency by referencing the 1.1.0 project. Note the icon of the UpdateMeDependencyLib in the dependency tree is not the nuget one.

What I can't figure out is, how we can stricly set the dependency to 1.0.0 and, in this case, break the build.

Answer 3

This is how you do it:

{
  "dependencies": {
    "NETStandard.Library": "1.6.0",
    "Newtonsoft.Json": {
      "version": "[9.0.1]",
      "target": "package"
    }
  }
}

This is the supported syntax for version ranges:

• 1.0: x ≥ 1.0: Minimum version, inclusive
• (1.0,): x > 1.0: Minimum version, exclusive
• [1.0]: x == 1.0: Exact version match
• (,1.0]: x ≤ 1.0: Maximum version, inclusive
• (,1.0): x < 1.0: Maximum version, exclusive
• [1.0,2.0]: 1.0 ≤ x ≤ 2.0: Exact range, inclusive
• (1.0,2.0): 1.0 < x < 2.0: Exact range, exclusive
• [1.0,2.0): 1.0 ≤ x < 2.0: Mixed inclusive minimum and exclusive maximum version