Section 6 of 6

NuGet Package Management

🎯 What You'll Learn

  • What NuGet is and why it matters
  • Finding packages on NuGet.org
  • Installing and managing packages
  • Understanding package versions and dependencies
  • Package restore and caching
  • Essential packages for InvenTrack
  • Security considerations
  • Creating your own NuGet packages

What is NuGet?

NuGet is the package manager for .NET. It's like npm for Node.js, pip for Python, or Maven for Java. NuGet lets you easily add third-party libraries to your projects without manually downloading and managing DLLs.

πŸ’‘ Key Concept

Think of NuGet as an app store for code libraries. Instead of writing everything from scratch, you can install pre-built, tested libraries for common tasks like JSON parsing, database access, logging, authentication, and more.

Why Use NuGet?

  • Save Time: Don't reinvent the wheelβ€”use proven libraries
  • Easy Updates: Update packages with a single command
  • Dependency Management: Automatically handles package dependencies
  • Version Control: Lock to specific versions for stability
  • Community: Access to 350,000+ packages
  • Open Source: Most packages are free and open source

Finding Packages

NuGet.org - The Official Package Repository

Visit https://www.nuget.org to search for packages.

πŸ’‘ Evaluating Packages

Before installing a package, check:
βœ… Downloads: Popular packages have millions of downloads
βœ… Last Updated: Active maintenance is a good sign
βœ… License: Ensure it's compatible with your project
βœ… Dependencies: Fewer dependencies = less complexity
βœ… GitHub Stars: Community approval indicator

Popular NuGet Packages

Package Purpose Downloads
Newtonsoft.Json JSON serialization/deserialization 3B+
Microsoft.EntityFrameworkCore Object-Relational Mapper (ORM) 500M+
Serilog Structured logging 200M+
AutoMapper Object-to-object mapping 300M+
FluentValidation Input validation 150M+
Dapper Micro-ORM for SQL 200M+

Installing Packages

Using the dotnet CLI

Terminal Shell 
# Install latest version
dotnet add package Newtonsoft.Json

# Install specific version
dotnet add package Serilog --version 3.1.1

# Install to specific project
dotnet add src/InvenTrack.Api package Microsoft.EntityFrameworkCore

# Install prerelease version
dotnet add package SomePackage --prerelease

Using Visual Studio

  1. Right-click on your project in Solution Explorer
  2. Select "Manage NuGet Packages"
  3. Click the "Browse" tab
  4. Search for the package
  5. Click "Install"

Using VS Code

VS Code doesn't have a built-in NuGet UI, but you can:

  • Use the integrated terminal with dotnet add package
  • Install the "NuGet Package Manager" extension
  • Manually edit the .csproj file

Manual Installation (Editing .csproj)

InvenTrack.Api.csproj XML 
<Project Sdk="Microsoft.NET.Sdk.Web">

  <PropertyGroup>
    <TargetFramework>net8.0</TargetFramework>
  </PropertyGroup>

  <ItemGroup>
    <PackageReference Include="Newtonsoft.Json" Version="13.0.3" />
    <PackageReference Include="Serilog.AspNetCore" Version="8.0.0" />
  </ItemGroup>

</Project>

After editing, run dotnet restore to download the packages.

Managing Packages

Viewing Installed Packages

Terminal Shell 
# List all packages in current project
dotnet list package

# List packages in entire solution
dotnet list package

# Show package dependency tree
dotnet list package --include-transitive

Updating Packages

Terminal Shell 
# Check for outdated packages
dotnet list package --outdated

# Update to latest version (edit .csproj manually or use dotnet add)
dotnet add package Newtonsoft.Json

# Update to specific version
dotnet add package Serilog --version 3.1.1
⚠️ Breaking Changes

Major version updates (e.g., 1.x β†’ 2.x) may contain breaking changes. Always check the package's changelog before updating. Test thoroughly after updating packages.

Removing Packages

Terminal Shell 
# Remove package
dotnet remove package Newtonsoft.Json

# Remove from specific project
dotnet remove src/InvenTrack.Api package Serilog

Understanding Package Versions

Semantic Versioning (SemVer)

NuGet packages follow Semantic Versioning: MAJOR.MINOR.PATCH

Version Format Text 
3.1.2
β”‚ β”‚ β”‚
β”‚ β”‚ └─ PATCH: Bug fixes (backward compatible)
β”‚ └─── MINOR: New features (backward compatible)
└───── MAJOR: Breaking changes

Version Ranges

Notation Meaning Example
3.1.2 Exact version Only 3.1.2
3.1.* Latest patch 3.1.0, 3.1.1, 3.1.2, etc.
[3.1.0, 4.0.0) Range (inclusive, exclusive) 3.1.0 to 3.9.9
(3.1.0,) Greater than Anything above 3.1.0
πŸ’‘ Best Practice

For production apps, use exact versions to ensure reproducible builds. For libraries you're publishing, use version ranges to allow flexibility.

Package Restore

When you clone a repository or pull changes, you need to restore packages:

Terminal Shell 
# Restore packages for current project/solution
dotnet restore

# Restore with specific sources
dotnet restore --source https://api.nuget.org/v3/index.json

# Force re-download (clear cache)
dotnet restore --force
ℹ️ Automatic Restore

dotnet restore is automatically run by:
β€’ dotnet build
β€’ dotnet run
β€’ dotnet test
You rarely need to run it manually!

Package Cache Location

NuGet caches downloaded packages to speed up restores:

  • Windows: %userprofile%\.nuget\packages
  • macOS/Linux: ~/.nuget/packages
Clear Cache Shell 
# Clear all NuGet caches
dotnet nuget locals all --clear

# Clear only global packages cache
dotnet nuget locals global-packages --clear

Essential Packages for InvenTrack

Database Access

Entity Framework Core Shell 
# Core EF package
dotnet add package Microsoft.EntityFrameworkCore

# SQL Server provider
dotnet add package Microsoft.EntityFrameworkCore.SqlServer

# Design-time tools (migrations)
dotnet add package Microsoft.EntityFrameworkCore.Design

# EF Core CLI tool (global)
dotnet tool install --global dotnet-ef

Logging

Serilog Shell 
# Serilog for ASP.NET Core
dotnet add package Serilog.AspNetCore

# Sinks (output destinations)
dotnet add package Serilog.Sinks.Console
dotnet add package Serilog.Sinks.File

Validation

FluentValidation Shell 
dotnet add package FluentValidation
dotnet add package FluentValidation.AspNetCore

Object Mapping

AutoMapper Shell 
dotnet add package AutoMapper
dotnet add package AutoMapper.Extensions.Microsoft.DependencyInjection

Authentication & Authorization

Identity & JWT Shell 
# ASP.NET Core Identity
dotnet add package Microsoft.AspNetCore.Identity.EntityFrameworkCore

# JWT Bearer Authentication
dotnet add package Microsoft.AspNetCore.Authentication.JwtBearer

API Documentation

Swagger/OpenAPI Shell 
dotnet add package Swashbuckle.AspNetCore

Testing

Test Frameworks Shell 
# xUnit (testing framework)
dotnet add package xunit
dotnet add package xunit.runner.visualstudio

# Moq (mocking library)
dotnet add package Moq

# FluentAssertions (better assertions)
dotnet add package FluentAssertions

Security Considerations

Checking for Vulnerabilities

Security Audit Shell 
# Check for vulnerable packages
dotnet list package --vulnerable

# Check for outdated packages
dotnet list package --outdated
⚠️ Security Best Practices

βœ… Regularly update packages to get security patches
βœ… Run dotnet list package --vulnerable in CI/CD pipelines
βœ… Review package licenses before using in commercial projects
βœ… Avoid packages with no recent updates or few downloads
βœ… Check package source code on GitHub if possible

Package Source Configuration

You can configure custom NuGet sources in nuget.config:

nuget.config XML 
<?xml version="1.0" encoding="utf-8"?>
<configuration>
  <packageSources>
    <clear />
    <add key="nuget.org" value="https://api.nuget.org/v3/index.json" />
    <add key="MyCompanyFeed" value="https://pkgs.dev.azure.com/mycompany/_packaging/myfeed/nuget/v3/index.json" />
  </packageSources>
</configuration>

Creating Your Own NuGet Packages

You can package your own libraries and share them on NuGet.org or private feeds.

Step 1: Configure Package Metadata

InvenTrack.Core.csproj XML 
<Project Sdk="Microsoft.NET.Sdk">

  <PropertyGroup>
    <TargetFramework>net8.0</TargetFramework>
    
    <!-- Package Metadata -->
    <PackageId>InvenTrack.Core</PackageId>
    <Version>1.0.0</Version>
    <Authors>Your Name</Authors>
    <Company>InvenTrack Inc.</Company>
    <Description>Core business logic for InvenTrack inventory system</Description>
    <PackageLicenseExpression>MIT</PackageLicenseExpression>
    <PackageProjectUrl>https://github.com/yourname/inventtrack</PackageProjectUrl>
    <RepositoryUrl>https://github.com/yourname/inventtrack</RepositoryUrl>
    <PackageTags>inventory;erp;business</PackageTags>
  </PropertyGroup>

</Project>

Step 2: Pack the Project

Terminal Shell 
# Create NuGet package (.nupkg file)
dotnet pack --configuration Release

# Output will be in bin/Release/
# Example: InvenTrack.Core.1.0.0.nupkg

Step 3: Publish to NuGet.org

Terminal Shell 
# Get API key from nuget.org
# Then push package
dotnet nuget push bin/Release/InvenTrack.Core.1.0.0.nupkg --api-key YOUR_API_KEY --source https://api.nuget.org/v3/index.json
πŸ’‘ Private NuGet Feeds

For internal company packages, use private feeds:
β€’ Azure Artifacts (Azure DevOps)
β€’ GitHub Packages
β€’ MyGet
β€’ Self-hosted NuGet server

Troubleshooting Common Issues

Issue: Package Not Found

Cause: Package name typo or package doesn't exist.

Solution:

  • Verify package name on NuGet.org
  • Check spelling and capitalization
  • Ensure you're using the correct package source

Issue: Version Conflict

Cause: Two packages require different versions of the same dependency.

Solution:

  • Update all packages to latest versions
  • Use dotnet list package --include-transitive to see dependency tree
  • Manually specify version in .csproj

Issue: Restore Failed

Cause: Network issues, corrupted cache, or authentication problems.

Solution:

  • Clear NuGet cache: dotnet nuget locals all --clear
  • Check internet connection
  • Verify package source is accessible
  • Try dotnet restore --force

Key Takeaways

  • NuGet is the package manager for .NET
  • Search for packages on NuGet.org
  • Install packages with dotnet add package PackageName
  • Packages are listed in <PackageReference> in .csproj
  • Semantic Versioning: MAJOR.MINOR.PATCH
  • Use exact versions for production apps
  • dotnet restore downloads packages (usually automatic)
  • Check for vulnerabilities with dotnet list package --vulnerable
  • Essential InvenTrack packages: EF Core, Serilog, FluentValidation, AutoMapper
  • Create your own packages with dotnet pack
  • NuGet caches packages in ~/.nuget/packages
  • Clear cache with dotnet nuget locals all --clear
πŸŽ‰ Part II Complete!

Congratulations! You've completed Part II: .NET Core Basics. You now understand the .NET ecosystem, SDK installation, project structure, the dotnet CLI, and NuGet package management. You have all the foundational knowledge needed to build .NET applications!

Next up: Part III will dive into ASP.NET Core Basicsβ€” building web applications, understanding the request pipeline, configuration, and more. The journey to building InvenTrack continues! πŸš€