How to hide dependent Nuget .dll's from consuming parent .dlls - What is the difference between 'Private Dependencies' and 'Merge / Repack' dependencies?

Question

How to hide dependent Nuget .dll's from consuming parent .dlls - What is the difference between 'Private Dependencies' and 'Merge / Repack' dependencies?

Jeff Ward 1

Note: When I use the word .dll, I mean a NuGet package I have made that has a collection of methods, and dependencies, such as Newtonsoft.Json as an example.

Hello!

I am building an infrastructure of NuGet packages which keeps modularity in mind. Basically, if I have more NuGet packages, I only need to write the code once, and it can be shared between other .dll's which require the code. If I did not do this, I would need to copy and paste the code in multiple separate NuGet package .dlls'

Here is an example diagram, I tried to think of a some-what realistic case of 'dependency hell' where NuGet packages depend on other NuGet packages

The scenario:

My thing is that when I install 1 NuGet package (AAA) which relies on 5 other NuGet packages (BBB, CCC, DDD, EEE, FFF) for example, the parent (123) which consumes (AAA) will be able to reference all public methods in (BBB, CCC, DDD, EEE, FFF) packages.

The Question:

How do I prevent the parent (123) the ability to reference public methods in (BBB, CCC, DDD, EEE, FFF) packages? I only want the parent (123) to have the ability to use public methods from (AAA) which the parent (123) consumes and relies on as a direct dependency?

Why do I want this?

It seems wrong that the parent (123) can reference all of those other public methods, I am sure I will get some errors or issues down the line if I allow this.

My Research for the solution??

Private dependencies:

https://stackoverflow.com/questions/50875356/how-to-exclude-a-package-from-a-class-library-nuget-package

I am not sure if this is what I want.. but maybe it will work?

Merge or Repack dependencies using ILMerge or ILRepack:

https://www.meziantou.net/merging-assemblies-using-ilrepack.htm

https://www.continuousimprover.com/2016/05/the-magic-of-hiding-your-nuget.html

I am not sure if I I need to use ILMerge or Repack, it seems like maybe its overkill? or maybe its exactly what I need?

I am a bit stuck on this and would love some guidance or suggestions if you guys have any! Maybe im being over-zealous and do not need to worry about 'The Scenario' at all!

Thanks everyone!

Tianyu Sun-MSFT 33,806 Reputation points Microsoft External Staff

2022-01-20T08:19:49.157+00:00

Hello @Jeff Ward , I think that the Private Dependencies you researched and mentioned is enough.
simplify3000 1 Reputation point

2025-02-24T15:41:40.8+00:00

hi @Tianyu Sun-MSFT - I have the same issue and also tried the above "Private Dependencies" suggestion. https://learn.microsoft.com/en-us/nuget/consume-packages/package-references-in-project-files#controlling-dependency-assets

But that leads to another problem. The swagger pages don't load, and the IApplicationBuilder.Use calls fail, because the nuget that I tried to hide is no longer found.

So essentially I can no longer call my apis, and my ASP.NET application stops working.

(To be able to use public code inside any nuget from a C# ASP.NET project, that nuget must be copied into my project's "bin" folder when deploying. If I have nuget A that references nuget B, and my ASP.NET project references nuget A (but not nuget B directly), then both nuget A (dll) and nuget B (dll) must exist in my ASP.net "bin" folder. If I use "privateassets" inside nuget A to "hide" nuget B, then nuget B will no longer be copied into my "bin" folder. Then if my project calls something in nuget A, the call will fail because nuget A can no longer find nuget B that it relies on. )

The reason I have this concern like the OP is that my nuget's users are unknowingly calling methods directly from "nuget B" that my "nuget A" references, and then expecting me to "support" it (code that I never wrote myself). Technically they should have been aware of this, but some developers wrote it and moved elsewhere, no one knew they did this. Now that team has found this "problem" and expect me to fix it.

My goal is to prevent this from happening in the future.

Is there a way to "hide" the public methods (during development) from this "nuget B" from nuget users (api developers), BUT still copy it into their ASP.NET "bin" folder (at runtime)?

2 answers

Your answer

Tianyu Sun-MSFT 33,806 Reputation points Microsoft External Staff

2022-01-20T08:19:49.157+00:00

Hello @Jeff Ward , I think that the Private Dependencies you researched and mentioned is enough.
simplify3000 1 Reputation point

2025-02-24T15:41:40.8+00:00

hi @Tianyu Sun-MSFT - I have the same issue and also tried the above "Private Dependencies" suggestion. https://learn.microsoft.com/en-us/nuget/consume-packages/package-references-in-project-files#controlling-dependency-assets

But that leads to another problem. The swagger pages don't load, and the IApplicationBuilder.Use calls fail, because the nuget that I tried to hide is no longer found.

So essentially I can no longer call my apis, and my ASP.NET application stops working.

(To be able to use public code inside any nuget from a C# ASP.NET project, that nuget must be copied into my project's "bin" folder when deploying. If I have nuget A that references nuget B, and my ASP.NET project references nuget A (but not nuget B directly), then both nuget A (dll) and nuget B (dll) must exist in my ASP.net "bin" folder. If I use "privateassets" inside nuget A to "hide" nuget B, then nuget B will no longer be copied into my "bin" folder. Then if my project calls something in nuget A, the call will fail because nuget A can no longer find nuget B that it relies on. )

The reason I have this concern like the OP is that my nuget's users are unknowingly calling methods directly from "nuget B" that my "nuget A" references, and then expecting me to "support" it (code that I never wrote myself). Technically they should have been aware of this, but some developers wrote it and moved elsewhere, no one knew they did this. Now that team has found this "problem" and expect me to fix it.

My goal is to prevent this from happening in the future.

Is there a way to "hide" the public methods (during development) from this "nuget B" from nuget users (api developers), BUT still copy it into their ASP.NET "bin" folder (at runtime)?

Answer 1

Vincent Boots 1

In this scenario, you can use the PrivateAssets metadata to control this behavior.

more documentation you can find in:
https://learn.microsoft.com/en-us/nuget/consume-packages/package-references-in-project-files#controlling-dependency-assets

hope this answers your question.

Answer 2

private assets are assets you don't want exposed to the consumer. say you use a test harness, and don't want that included in you nuget package. private means the asset is not included in the nuget package. if used for a dependent dll, then the dll is not included, but the code will not run if the consumer does not include the dll.

the assembly merge is probably what you are trying to do. this embeds the dependent assemblies in the target, but they have a new namespace. this affects attributes also. so you will need to careful if you use reflection.

the will work best if you only expose one master nuget package. say you have 2 peer packages a & b, and they both use c & d, it means both a & b need imbedded copies of c & d. if c & d depend on other dependencies, these must be imbedded in a & b also. but if the consumer can use a & d, you end up with more copies.

Share via

How to hide dependent Nuget .dll's from consuming parent .dlls - What is the difference between 'Private Dependencies' and 'Merge / Repack' dependencies?

The scenario:

The Question:

Why do I want this?

My Research for the solution??

Private dependencies:

Merge or Repack dependencies using ILMerge or ILRepack:

2 answers

Your answer