NuGet 中的包依赖解析和命名冲突 [英] Package dependancy resolution in NuGet and naming conflicts

问题描述

在我的工作团队中，我们依赖两个 NuGet 提要:来自 NuGet.org 的官方提要用于公共包，而我们文件服务器上的一个文件夹用于内部包.

On my team at work we rely on two NuGet feeds: the offical one from NuGet.org for public packages and a folder on our file server for internal packages.

这对我们来说效果很好，但我认为我们有一个潜在的问题.看起来 NuGet 根据包名称和版本号解析依赖项.只有一个供稿在起作用，这似乎不是问题.使用多个提要时，存在名称冲突的风险.根据 NuGet 的解析规则，无论提要如何，它似乎都会选择最高版本号.

This has worked well for us, but I think we have a potential problem. It looks like NuGet resolves dependencies based on package name and version number. With only one feed in play, this doesn't seem like a problem. With more than one feed, there's a risk of a name conflict. Based on NuGet's resolution rules, it looks like it will pick the highest version number, regardless of feed.

这让我们陷入了困境.这不太可能发生，但如果有人在 NuGet.org 提要上发布一个包，该包与我们内部提要上的包名称相同，我们最终可能会包含一个意外的包.

This leaves us in a bit of a spot. It's not likely to happen, but if someone were to publish a package on the NuGet.org feed that had the same package name as one on our internal feed, we could end up including an unexpected package.

我可以想到两种方法来解决这个问题:

I can think of two ways to work around this:

1) 将我们依赖的包拉入我们的私人提要.虽然这是可行的，但由于不断将软件包更新下载到我们的私人供稿中的管理负担，它并不是很有吸引力.

1) Pull the packages we rely on into our private feed. While this is doable, it's not terribly appealing because of the management burden of constantly downloading package updates into our private feed.

2) 通过 NuGet.org 提要发布占位符包以保留包名称.这似乎可行，但对我来说感觉像是一个黑客.

2) Publish a placeholder package via the NuGet.org feed to reserve the package name. This seems like it would work, but feels like a hack to me.

有更好的方法吗?

感谢您的帮助！

推荐答案

使用我们的产品 ProGet(本质上它是一个具有附加功能的私有 NuGet 存储库)，尽管这样做的功能仅在付费版中可用.本质上，您要做的只是从 Visual Studio 中指向 ProGet 托管的源.默认情况下，ProGet 提要连接到官方 NuGet.org 提要，并且还能够下载官方提要中的所有包.

This could be accomplished quite easily with our product ProGet (essentially it's a private NuGet repository with additional features), though the feature to do so is only available in the paid edition. Essentially what you would do, is point only to the ProGet hosted feed from within Visual Studio. By default, ProGet feeds are connected to the official NuGet.org feed and are able to download all packages in the official feed as well.

但是，如果您要设置以下连接器过滤器":

However, if you were to set up a "connector filter" of:

*
!YourPackageNameOrPrefix

然后它会阻止从官方提要下载与您的名称相同的软件包.

then it would block packages with the same name as yours from being downloaded from the official feed.

如果您对 3rd 方解决方案不感兴趣，您始终可以使用极不可能被复制的名称(例如 YourCompany.XXXXX)来命名您的包，但这当然不会阻止任何人将其复制到目的.

If you aren't interested in a 3rd party solution, you could always name your packages with something that would be highly unlikely to be copied (e.g. YourCompany.XXXXX), but that of course would not prevent anyone from copying it on purpose.

这篇关于NuGet 中的包依赖解析和命名冲突的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！