NuGet adds Packages folder to the solution. Should it be part of Source control?

Question

I am using NuGet to add packages to my solution. NuGet added a Packages folder to my visual studio’s solution root folder. The concerning part is that the “packages” folder is not part of source control. That means the source code comes from TFS, but the project references come from a folder that is fed by external source. People can put malicious code in the packages folder and build the application.

I like to understand how my other colleagues that get the source code from the TFS source control can build the project with packages folder not being part of the source control?

Answer 1

We did have a similar problem where our build server wasn't allowed to have internet connection, so couldn't download packages. We started with creating our own NuGet Source, which was simply a shared folder with all packages copied to it. The visual studio projects would of course use these packages rather than packages hosted on www.nuget.org

I must say that we scrapped this idea because of the overhead of doing it as our package usage increased.

My advise is that if you are worried about packages downloaded at build time, store the packages folder on source control.

Answer 2

NuGet supports automatic package restoration so your colleagues who use this feature will automatically download required packages. There is a policy at nuget.org that prevents user to delete or update exact version of package once it is published so it can support package restore without any interruptions - see this answer for more detail. If you are using other package sources than nuget.org than you should check their package deletion/update policy because it may be different.