Transitive lock files (with wildcard) result in NU1004

[daniel-white]

Details about Problem

NuGet product used (NuGet.exe | VS UI | Package Manager Console | dotnet.exe): dotnet cli

NuGet version (x.x.x.xxx):

dotnet.exe --version (if appropriate): 2.1.801

OS version (i.e. win10 v1607 (14393.321)): macOS 10.14.6 (18G87)

Worked before? If so, with which NuGet version: No

Detailed repro steps so we can see the same problem

1. Create a .net standard project. Add a nuget reference with a wildcard version.

2. Enable RestorePackagesWithLockFile.

3. Run dotnet restore for the first project.

4. Add another .net standard project. Reference the first project via project reference.

5. Enable RestorePackagesWithLockFile.

6. Run dotnet restorefor the second project.

7. Run dotnet restore --locked-mode for the second project.

8. Observe NU1004

...

Other suggested things

Verbose Logs

log.txt

Sample Project

locktest.zip

[nkolev92]

@daniel-white
Can you please tell us which "wildcard" version you are referring to specifically?

There are some issues with *, but other versions like 1.* or 1.0.0-preview.* should work.

[daniel-white]

@nkolev92 the more specific versions like 1.* or 1.0.0-preview.*

[rrelyea]

(i'm assuming this was a problem with earlier nuget versions as well, right? this is not a regression?)

[daniel-white]

@rrelyea I’m not sure. I know there were some other issues that prevented me from using the lock files before this version

[nkolev92]

I verified, this is not a regression, it's always been an issue.

We have an issue with the way we express the dependencies of dependencies in the lock file.

The issue in the repro above specifically is:

      "locktest": {
        "type": "Project",
        "dependencies": {
          "Conga.Logging": "0.12.1-beta"
        }
      }

[andzn]

We're running into the same issue. We are using dotnet 5.0.202. Is there a workaround or something we can try in the meantime?

[AlexKeySmith]

Hi, we're running into the same issue as well with 5.0.302

[AlexKeySmith]

I realise this is a super old ticket so I'm guessing not a widely seen issue.
Are we best to avoid wildcards in PackageReference entirely for packages.lock.json to work?

Or is it only in the more exotic like 4.0.0-beta.* in that case are we best to use version ranges perhaps (I think they opt into pre-release?).

I wonder is it something to do with by design floating versions not opting into pre-release versions.

[AlexKeySmith]

n.b. after much experimentation I was able to use version ranges, using this very helpful tool to iterate quickly https://nugettools.azurewebsites.net/5.9.1/find-best-version-match

However unfortunately version ranges seem to break whitesource (a dependency scanning tool I'm using) so in the end I switched to non-floating versions.

[ilya-git]

This issue is quite old, are there any plans to fix it or a workaround @nkolev92 ? I don't see what else I can do apart from not using wildcards?

[nkolev92]

@martinrrm

#10458 is likely a duplicate of this issue.