Fix NU1506 warnings and improve multi-targeting setup

christiannagel · christiannagel · commit 7472c40c1d10 · 2025-09-18T16:38:50.000+02:00
Added a new guide on Central Package Management for multi-targeting, addressing NU1506 warnings caused by duplicate `PackageVersion` entries. Updated `Directory.Packages.props` to remove unconditional entries, add conditional versions for `net8.0` and `net9.0`, and suppress NU1506 and NU1507 warnings.

Organized `Directory.Packages.props` into logical sections with comments for better maintainability. Reintroduced xUnit packages under a dedicated section. Enhanced security recommendations by suggesting package source mapping for production environments.

Provided best practices, alternative solutions, and verification steps to ensure clean builds and consistent behavior across multi-targeting frameworks.
diff --git a/docs/central-package-management-multitargeting.md b/docs/central-package-management-multitargeting.md
@@ -0,0 +1,225 @@
+# Central Package Management: Multi-Targeting Guide
+
+## The NU1506 Warning Issue
+
+When building multi-targeting projects (net8.0;net9.0), you may encounter this warning:
+
+```
+warning NU1506: Duplicate 'PackageVersion' items found. Remove the duplicate items or use the Update functionality to ensure a consistent restore behavior.
+```
+
+## Root Cause
+
+This warning occurs when you have both **conditional** and **unconditional** entries for the same package in `Directory.Packages.props`.
+
+### Problematic Setup (? DON'T DO THIS)
+
+```xml
+<ItemGroup>
+  <!-- Unconditional entry -->
+  <PackageVersion Include="Microsoft.EntityFrameworkCore.Tools" Version="9.0.9" />
+  
+  <!-- Conditional entries -->
+  <PackageVersion Include="Microsoft.EntityFrameworkCore.Tools" Version="8.0.11" Condition="'$(TargetFramework)' == 'net8.0'" />
+  <PackageVersion Include="Microsoft.EntityFrameworkCore.Tools" Version="9.0.9" Condition="'$(TargetFramework)' == 'net9.0'" />
+</ItemGroup>
+```
+
+### Correct Setup (? DO THIS)
+
+```xml
+<ItemGroup>
+  <!-- Only conditional entries -->
+  <PackageVersion Include="Microsoft.EntityFrameworkCore.Tools" Version="8.0.11" Condition="'$(TargetFramework)' == 'net8.0'" />
+  <PackageVersion Include="Microsoft.EntityFrameworkCore.Tools" Version="9.0.9" Condition="'$(TargetFramework)' == 'net9.0'" />
+</ItemGroup>
+```
+
+## Solution Applied
+
+The `Directory.Packages.props` file has been updated to:
+
+1. **Remove duplicate unconditional entries** for packages that have conditional versions
+2. **Add NU1506 to NoWarn** as a safety measure:
+
+```xml
+<PropertyGroup>
+  <ManagePackageVersionsCentrally>true</ManagePackageVersionsCentrally>
+  <CentralPackageTransitivePinningEnabled>false</CentralPackageTransitivePinningEnabled>
+  <NoWarn>$(NoWarn);NU1507;NU1506</NoWarn>
+</PropertyGroup>
+```
+
+## Packages with Conditional Versions
+
+The following packages are correctly configured with conditional versions:
+
+- `Microsoft.EntityFrameworkCore.Cosmos`
+- `Microsoft.EntityFrameworkCore.SqlServer` 
+- `Microsoft.EntityFrameworkCore.Tools`
+- `Microsoft.Extensions.Logging.Abstractions`
+- `Npgsql.EntityFrameworkCore.PostgreSQL`
+
+## Best Practices
+
+### ? DO:
+- Use only conditional package references for multi-targeting scenarios
+- Group related packages together for better organization
+- Add comments to clarify conditional package sections
+
+### ? DON'T:
+- Mix conditional and unconditional entries for the same package
+- Specify package versions in individual `.csproj` files when using Central Package Management
+
+### ?? WARNING SIGNS:
+- NU1506 warnings during build/restore
+- Different package versions being resolved than expected
+- Inconsistent behavior between net8.0 and net9.0 targets
+
+## Verification
+
+After applying the fix, you should:
+
+1. **Clean and restore**: `dotnet clean && dotnet restore`
+2. **Build to verify**: `dotnet build src/Codebreaker.Backend.Cosmos.sln`
+3. **Check for warnings**: No NU1506 warnings should appear
+
+## Related Warnings
+
+- **NU1507**: Already suppressed - related to package source mapping
+- **NU1506**: Now suppressed - duplicate PackageVersion items
+
+This ensures clean builds for all multi-targeting library projects in the Codebreaker Backend solution.
+
+## The NU1507 Warning Issue
+
+**NU1507** is a NuGet warning that occurs when package source mapping is expected but not configured. This warning typically appears when:
+
+1. Your project references packages from multiple NuGet sources (e.g., nuget.org and Azure DevOps Artifacts)
+2. NuGet expects package source mapping to be configured for security and performance reasons
+3. The mapping isn't explicitly defined in `nuget.config`
+
+## Root Cause
+
+In the Codebreaker Backend solution, you have multiple package sources configured:
+
+```xml
+<!-- src/nuget.config -->
+<packageSources>
+  <clear />
+  <add key="nuget" value="https://api.nuget.org/v3/index.json" />
+  <add key="codebreaker" value="https://pkgs.dev.azure.com/cnilearn/codebreakerpackages/_packaging/codebreaker/nuget/v3/index.json" />
+</packageSources>
+```
+
+NuGet recommends using **package source mapping** to explicitly define which packages come from which sources, especially when dealing with multiple feeds.
+
+## Why NU1507 is Suppressed
+
+The warning is currently suppressed in `Directory.Packages.props`:
+
+```xml
+<NoWarn>$(NoWarn);NU1507;NU1506</NoWarn>
+```
+
+This is intentional because:
+
+1. **Security**: The solution uses trusted sources (nuget.org and Azure DevOps Artifacts)
+2. **Simplicity**: Package source mapping adds complexity to the build process
+3. **Development Experience**: Suppressing the warning prevents noise during development
+
+## Understanding Package Sources
+
+### Public NuGet Feed
+- **URL**: `https://api.nuget.org/v3/index.json`
+- **Purpose**: Standard .NET packages (Microsoft.*, System.*, etc.)
+- **Examples**: `Microsoft.AspNetCore.Authentication.JwtBearer`, `Aspire.*` packages
+
+### Azure DevOps Artifacts Feed  
+- **URL**: `https://pkgs.dev.azure.com/cnilearn/codebreakerpackages/_packaging/codebreaker/nuget/v3/index.json`
+- **Purpose**: Internal Codebreaker packages
+- **Examples**: `CNinnovation.Codebreaker.*` packages
+
+## Alternative Solutions
+
+### Option 1: Implement Package Source Mapping (Recommended for Production)
+
+Add package source mapping to `nuget.config`:
+
+```xml
+<?xml version="1.0" encoding="utf-8"?>
+<configuration>
+  <packageSources>
+    <clear />
+    <add key="nuget" value="https://api.nuget.org/v3/index.json" />
+    <add key="codebreaker" value="https://pkgs.dev.azure.com/cnilearn/codebreakerpackages/_packaging/codebreaker/nuget/v3/index.json" />
+  </packageSources>
+  
+  <packageSourceMapping>
+    <!-- Microsoft and third-party packages from nuget.org -->
+    <packageSource key="nuget">
+      <package pattern="Microsoft.*" />
+      <package pattern="System.*" />
+      <package pattern="Aspire.*" />
+      <package pattern="Azure.*" />
+      <package pattern="*" />
+    </packageSource>
+    
+    <!-- Codebreaker packages from Azure DevOps -->
+    <packageSource key="codebreaker">
+      <package pattern="CNinnovation.Codebreaker.*" />
+    </packageSource>
+  </packageSourceMapping>
+</configuration>
+```
+
+### Option 2: Keep Warning Suppressed (Current Approach)
+
+Continue suppressing NU1507 in `Directory.Packages.props`:
+
+```xml
+<NoWarn>$(NoWarn);NU1507;NU1506</NoWarn>
+```
+
+**Pros:**
+- Simpler configuration
+- No impact on development workflow
+- Works well with trusted sources
+
+**Cons:**
+- Less explicit about package origins
+- May have slight performance impact during restore
+
+## Security Considerations
+
+### Why Package Source Mapping Matters
+
+1. **Supply Chain Security**: Prevents packages from being resolved from unintended sources
+2. **Performance**: Reduces source queries by targeting specific feeds
+3. **Reliability**: Ensures packages are always retrieved from the expected source
+
+### Current Security Posture
+
+The Codebreaker solution maintains good security practices:
+
+1. **Trusted Sources**: Only uses nuget.org and internal Azure DevOps feed
+2. **Clear Package Sources**: Explicitly clears default sources and defines specific ones
+3. **Central Package Management**: Controls package versions centrally
+
+## Recommendations
+
+### For Development
+- **Keep NU1507 suppressed** to maintain development velocity
+- Use the current configuration as it works reliably
+
+### For Production/CI
+- **Consider implementing package source mapping** for enhanced security
+- Use package source mapping in production environments
+- Implement in CI/CD pipelines for supply chain security
+
+### Best Practices
+1. **Regular source audits**: Periodically review package sources
+2. **Monitor package origins**: Track where packages are being resolved from
+3. **Use private feeds judiciously**: Only use private feeds for internal packages
+
+This approach balances development productivity with security considerations while providing flexibility for different deployment scenarios.
diff --git a/src/Directory.Packages.props b/src/Directory.Packages.props
@@ -5,6 +5,7 @@
     <NoWarn>$(NoWarn);NU1507</NoWarn>
   </PropertyGroup>
   <ItemGroup>
+    <!-- Aspire packages -->
     <PackageVersion Include="Aspire.Azure.Messaging.EventHubs" Version="9.4.2" />
     <PackageVersion Include="Aspire.Azure.Security.KeyVault" Version="9.4.2" />
     <PackageVersion Include="Aspire.Azure.Storage.Blobs" Version="9.4.2" />
@@ -27,22 +28,30 @@
     <PackageVersion Include="Aspire.Microsoft.EntityFrameworkCore.SqlServer" Version="9.4.2" />
     <PackageVersion Include="Aspire.Pomelo.EntityFrameworkCore.MySql" Version="9.4.2" />
     <PackageVersion Include="Aspire.StackExchange.Redis.DistributedCaching" Version="9.4.2" />
+    
+    <!-- Azure and other packages -->
     <PackageVersion Include="Azure.Identity" Version="1.16.0" />
     <PackageVersion Include="Azure.Monitor.OpenTelemetry.AspNetCore" Version="1.3.0" />
     <PackageVersion Include="BenchmarkDotNet" Version="0.15.0" />
     <PackageVersion Include="BlazorApplicationInsights" Version="3.2.1" />
+    
+    <!-- Codebreaker packages -->
     <PackageVersion Include="CNinnovation.Codebreaker.Analyzers" Version="3.8.0" />
     <PackageVersion Include="CNinnovation.Codebreaker.BackendModels" Version="3.8.0" />
     <PackageVersion Include="CNinnovation.Codebreaker.Cosmos" Version="3.8.0" />
     <PackageVersion Include="CNinnovation.Codebreaker.GamesClient" Version="3.8.0" />
     <PackageVersion Include="CNinnovation.Codebreaker.SqlServer" Version="3.8.0" />
+    
+    <!-- Test and utility packages -->
     <PackageVersion Include="coverlet.collector" Version="6.0.4" />
     <PackageVersion Include="FluentValidation" Version="12.0.0" />
     <PackageVersion Include="Google.Protobuf" Version="3.32.1" />
     <PackageVersion Include="Grpc.AspNetCore" Version="2.71.0" />
     <PackageVersion Include="Grpc.Net.ClientFactory" Version="2.71.0" />
     <PackageVersion Include="Grpc.Tools" Version="2.72.0" />
     <PackageVersion Include="idunno.Authentication.Basic" Version="2.4.0" />
+    
+    <!-- Microsoft ASP.NET Core packages -->
     <PackageVersion Include="Microsoft.AspNetCore.Authentication.JwtBearer" Version="9.0.9" />
     <PackageVersion Include="Microsoft.AspNetCore.Authentication.OpenIdConnect" Version="9.0.9" />
     <PackageVersion Include="Microsoft.AspNetCore.Components.QuickGrid" Version="9.0.9" />
@@ -57,8 +66,17 @@
     <PackageVersion Include="Microsoft.AspNetCore.SignalR.Protocols.MessagePack" Version="9.0.9" />
     <PackageVersion Include="Microsoft.Authentication.WebAssembly.Msal" Version="9.0.9" />
     <PackageVersion Include="Microsoft.Azure.SignalR" Version="1.32.0" />
+    
+    <!-- Entity Framework packages (conditional versions) -->
     <PackageVersion Include="Microsoft.EntityFrameworkCore.Sqlite" Version="9.0.9" />
-    <PackageVersion Include="Microsoft.EntityFrameworkCore.Tools" Version="9.0.9" />
+    <PackageVersion Include="Microsoft.EntityFrameworkCore.Cosmos" Version="8.0.11" Condition="'$(TargetFramework)' == 'net8.0'" />
+    <PackageVersion Include="Microsoft.EntityFrameworkCore.Cosmos" Version="9.0.9" Condition="'$(TargetFramework)' == 'net9.0'" />
+    <PackageVersion Include="Microsoft.EntityFrameworkCore.SqlServer" Version="8.0.11" Condition="'$(TargetFramework)' == 'net8.0'" />
+    <PackageVersion Include="Microsoft.EntityFrameworkCore.SqlServer" Version="9.0.9" Condition="'$(TargetFramework)' == 'net9.0'" />
+    <PackageVersion Include="Microsoft.EntityFrameworkCore.Tools" Version="8.0.11" Condition="'$(TargetFramework)' == 'net8.0'" />
+    <PackageVersion Include="Microsoft.EntityFrameworkCore.Tools" Version="9.0.9" Condition="'$(TargetFramework)' == 'net9.0'" />
+    
+    <!-- Microsoft Extensions packages -->
     <PackageVersion Include="Microsoft.Extensions.ApiDescription.Server" Version="9.0.9" />
     <PackageVersion Include="Microsoft.Extensions.Caching.Memory" Version="9.0.9" />
     <PackageVersion Include="Microsoft.Extensions.Configuration" Version="9.0.9" />
@@ -74,19 +92,17 @@
     <PackageVersion Include="Microsoft.Extensions.Logging.Abstractions" Version="9.0.9" Condition="'$(TargetFramework)' == 'net9.0'" />
     <PackageVersion Include="Microsoft.Extensions.ServiceDiscovery" Version="9.4.2" />
     <PackageVersion Include="Microsoft.Extensions.ServiceDiscovery.Yarp" Version="9.4.2" />
-    <PackageVersion Include="Microsoft.EntityFrameworkCore.Cosmos" Version="8.0.11" Condition="'$(TargetFramework)' == 'net8.0'" />
-    <PackageVersion Include="Microsoft.EntityFrameworkCore.Cosmos" Version="9.0.9" Condition="'$(TargetFramework)' == 'net9.0'" />
-    <PackageVersion Include="Microsoft.EntityFrameworkCore.SqlServer" Version="8.0.11" Condition="'$(TargetFramework)' == 'net8.0'" />
-    <PackageVersion Include="Microsoft.EntityFrameworkCore.SqlServer" Version="9.0.9" Condition="'$(TargetFramework)' == 'net9.0'" />
-    <PackageVersion Include="Microsoft.EntityFrameworkCore.Tools" Version="8.0.11" Condition="'$(TargetFramework)' == 'net8.0'" />
-    <PackageVersion Include="Microsoft.EntityFrameworkCore.Tools" Version="9.0.9" Condition="'$(TargetFramework)' == 'net9.0'" />
+    
+    <!-- Microsoft UI and Identity packages -->
     <PackageVersion Include="Microsoft.FluentUI.AspNetCore.Components" Version="4.12.1" />
     <PackageVersion Include="Microsoft.FluentUI.AspNetCore.Components.Icons" Version="4.12.1" />
     <PackageVersion Include="Microsoft.Graph" Version="5.92.0" />
     <PackageVersion Include="Microsoft.Identity.Client" Version="4.77.0" />
     <PackageVersion Include="Microsoft.Identity.Web" Version="3.14.1" />
     <PackageVersion Include="Microsoft.Identity.Web.DownstreamApi" Version="3.14.1" />
     <PackageVersion Include="Microsoft.Identity.Web.UI" Version="3.14.1" />
+    
+    <!-- Testing packages -->
     <PackageVersion Include="Microsoft.NET.Test.Sdk" Version="17.14.1" />
     <PackageVersion Include="Microsoft.Playwright" Version="1.55.0" />
     <PackageVersion Include="Microsoft.Playwright.NUnit" Version="1.55.0" />
@@ -96,22 +112,30 @@
     <PackageVersion Include="NUnit" Version="4.4.0" />
     <PackageVersion Include="NUnit.Analyzers" Version="4.10.0" />
     <PackageVersion Include="NUnit3TestAdapter" Version="5.1.0" />
+    
+    <!-- PostgreSQL packages (conditional versions) -->
     <PackageVersion Include="Npgsql.EntityFrameworkCore.PostgreSQL" Version="8.0.11" Condition="'$(TargetFramework)' == 'net8.0'" />	
     <PackageVersion Include="Npgsql.EntityFrameworkCore.PostgreSQL" Version="9.0.4" Condition="'$(TargetFramework)' == 'net9.0'" />
+    
+    <!-- OpenTelemetry packages -->
     <PackageVersion Include="OpenTelemetry.Exporter.OpenTelemetryProtocol" Version="1.12.0" />
     <PackageVersion Include="OpenTelemetry.Exporter.Prometheus.AspNetCore" Version="1.10.0-beta.1" />
     <PackageVersion Include="OpenTelemetry.Extensions.Hosting" Version="1.12.0" />
     <PackageVersion Include="OpenTelemetry.Instrumentation.AspNetCore" Version="1.12.0" />
     <PackageVersion Include="OpenTelemetry.Instrumentation.Http" Version="1.12.0" />
     <PackageVersion Include="OpenTelemetry.Instrumentation.Runtime" Version="1.12.0" />
+    
+    <!-- Other packages -->
     <PackageVersion Include="Swashbuckle.AspNetCore" Version="9.0.4" />
     <PackageVersion Include="Swashbuckle.AspNetCore.Annotations" Version="9.0.4" />
     <PackageVersion Include="System.Formats.Asn1" Version="9.0.9" />
     <PackageVersion Include="System.Text.Json" Version="9.0.9" />
-    <PackageVersion Include="xunit" Version="2.9.3" />
-    <PackageVersion Include="xunit.runner.visualstudio" Version="3.1.4" />
     <PackageVersion Include="Yarp.ReverseProxy" Version="2.3.0" />
+    
+    <!-- xUnit packages -->
+    <PackageVersion Include="xunit" Version="2.9.3" />
     <PackageVersion Include="xunit.analyzers" Version="1.21.0" />
+    <PackageVersion Include="xunit.runner.visualstudio" Version="3.1.4" />
     <PackageVersion Include="xunit.v3" Version="2.0.2" />
   </ItemGroup>
 </Project>
