Dependency Management for .NET Projects

Dependency management is the discipline most teams pretend they have under control until an audit, a CVE, or a transitive breakage proves otherwise. The supply chain narrative around npm has finally reached the .NET conversation, but the underlying problem is the same regardless of ecosystem: every package reference is a supplier, every transitive pull is a sub-supplier, and “we trust the maintainer” is not a control that survives a real review.

The structural fix on the .NET side is Central Package Management. One Directory.Packages.props declares versions for the entire solution, projects reference packages without versions, and updates become a single change rather than a sprawling diff across every csproj. The articles here treat CPM not as a nice-to-have but as the precondition for everything else — Dependabot pull requests stop being noise once they touch one file, dependency reviews actually fit in a reviewer’s head, and version drift between projects in the same solution becomes a build error rather than a runtime surprise.

On top of that base, automation does the work humans cannot do reliably. Dependabot or Renovate produce the update pull requests, GitHub’s dependency review action blocks PRs that introduce known vulnerabilities, and an action like dependamerge collapses safe minor and patch updates into automatic merges so engineers stop spending their week clicking approve. The combination turns supply-chain hygiene from a quarterly cleanup into a routine background task.

Then there is the harder problem of trust. NuGet signature verification, packageSourceMapping to pin packages to feeds, SBOM generation for what actually ships, and policies that reject unsigned packages from public sources are the controls that satisfy ISO/IEC 27001 supplier requirements. They are also what stops a typo-squatting attack from reaching production. The articles in this collection are about building that infrastructure once and letting it run, rather than rediscovering it after every incident.

Manage NuGet Packages Centrally

Manage NuGet Packages Centrally

For over 12 years, NuGet package management has been part of the .NET ecosystem with direct integrations to various IDEs, CLIs and build systems. But a feature took 12 years before it appeared and certainly needs some more maintenance until it is mature!