Dependency Management for .NET Projects

Dependency management is the discipline most teams pretend they have under control until an audit, a CVE, or a transitive breakage proves otherwise. The supply chain narrative around npm has finally reached the .NET conversation, but the underlying problem is the same regardless of ecosystem: every package reference is a supplier, every transitive pull is a sub-supplier, and “we trust the maintainer” is not a control that survives a real review.

The structural fix on the .NET side is Central Package Management. One Directory.Packages.props declares versions for the entire solution, projects reference packages without versions, and updates become a single change rather than a sprawling diff across every csproj. The articles here treat CPM not as a nice-to-have but as the precondition for everything else — Dependabot pull requests stop being noise once they touch one file, dependency reviews actually fit in a reviewer’s head, and version drift between projects in the same solution becomes a build error rather than a runtime surprise.

On top of that base, automation does the work humans cannot do reliably. Dependabot or Renovate produce the update pull requests, GitHub’s dependency review action blocks PRs that introduce known vulnerabilities, and an action like dependamerge collapses safe minor and patch updates into automatic merges so engineers stop spending their week clicking approve. The combination turns supply-chain hygiene from a quarterly cleanup into a routine background task.

Then there is the harder problem of trust. NuGet signature verification, packageSourceMapping to pin packages to feeds, SBOM generation for what actually ships, and policies that reject unsigned packages from public sources are the controls that satisfy ISO/IEC 27001 supplier requirements. They are also what stops a typo-squatting attack from reaching production. The articles in this collection are about building that infrastructure once and letting it run, rather than rediscovering it after every incident.

247 Strangers Have Root Access to Your Production

Your organization has a thorough vendor approval process. Procurement forms. Security questionnaires. Legal reviews lasting months. Then your developers run npm install and pull 247 packages from strangers on the internet—and nobody blinks. That’s the supply chain security paradox most teams live with daily. This guide shows you how to implement Dependabot, dependency review, and SBOM generation as the defensive controls they should be—not as checkbox compliance theater.

NuGet Packages: The Suppliers You Forgot to Audit

Every NuGet package is a supplier relationship under ISO 27001. Learn how to implement Central Package Management, automated vulnerability scanning, and package signature verification to transform your .NET dependency management from security liability into auditable compliance control.

PackageDownload: NuGet's Forgotten Power Tool

PackageDownload arrived in NuGet 4.8 to solve a niche but genuine problem: downloading packages without adding assembly references. It works. But its version syntax requirements and complete disregard for Central Package Management reveal the messy reality of platform evolution.

A Tale of Forgotten Pennies and Lost Dollars

In software development, there’s a silent debt that accrues interest over time, often hidden beneath layers of code and decisions made in haste or ignorance. This debt is aptly termed technical debt. Much like the german proverb, “Wer den Pfennig nicht ehrt, ist den Taler nicht wert”, (or the english equivalent, “A penny saved is a penny earned”) technical debt reminds us that small oversights or compromises in the present can snowball into significant challenges down the road. This article critically examines the parallels between financial principles and technical debt, emphasizing the importance of addressing both direct and indirect debt while understanding its distinction from external risks such as hacking or abuse.

dependamerge-action

In software development, dependencies are inevitable - any project worth its salt relies on various libraries, frameworks, or packages. However, as I found in my own work, managing these dependencies can be an onerous task. Constant updates, new vulnerabilities, and endless manual approvals were draining my time and focus. What if, I thought, these processes could be automated? This thought led to the creation of dependamerge, a GitHub Action designed to free developers from the drudgery of manual dependency maintenance and let us get back to what we do best: building great software.