dotnet-restore - Man Page

Restores the dependencies and tools of a project.

Examples (TL;DR)

dotnet restore

This article applies to: ✔️ .NET Core 3.1 SDK and later versions

Synopsis

dotnet restore [<ROOT>] [--configfile <FILE>] [--disable-build-servers]
    [--disable-parallel]
    [-f|--force] [--force-evaluate] [--ignore-failed-sources]
    [--interactive] [--lock-file-path <LOCK_FILE_PATH>] [--locked-mode]
    [--no-cache] [--no-dependencies] [--packages <PACKAGES_DIRECTORY>]
    [-r|--runtime <RUNTIME_IDENTIFIER>] [-s|--source <SOURCE>]
    [--tl:[auto|on|off]] [--use-current-runtime, --ucr [true|false]]
    [--use-lock-file] [-v|--verbosity <LEVEL>]

dotnet restore -h|--help

Description

A .NET project typically references external libraries in NuGet (https://www.nuget.org) packages that provide additional functionality. These external dependencies are referenced in the project file (.csproj or .vbproj). When you run the dotnet restore command, the .NET CLI uses NuGet to look for these dependencies and download them if necessary. It also ensures that all the dependencies required by the project are compatible with each other and that there are no conflicts between them. Once the command is completed, all the dependencies required by the project are available in a local cache and can be used by the .NET CLI to build and run the application.

In most cases, you don’t need to explicitly use the dotnet restore command, since if a NuGet restore is necessary, the following commands run it implicitly:

Sometimes, it might be inconvenient to run the implicit NuGet restore with these commands. For example, some automated systems, such as build systems, need to call dotnet restore explicitly to control when the restore occurs so that they can control network usage. To prevent the implicit NuGet restore, you can use the --no-restore flag with any of these commands.

Signed package verification during restore operations requires a certificate root store that is valid for both code signing and timestamping. For more inforomation, see NuGet signed package verification.

Specify feeds

To restore the dependencies, NuGet needs the feeds where the packages are located. Feeds are usually provided via the nuget.config configuration file. A default configuration file is provided when the .NET SDK is installed. To specify additional feeds, do one of the following:

  • Create your own nuget.config file in the project directory. For more information, see Common NuGet configurations and nuget.config differences later in this article.
  • Use dotnet nuget commands such as dotnet nuget add source.

You can override the nuget.config feeds with the -s option.

For information about how to use authenticated feeds, see Consuming packages from authenticated feeds.

Global packages folder

For dependencies, you can specify where the restored packages are placed during the restore operation using the --packages argument. If not specified, the default NuGet package cache is used, which is found in the .nuget/packages directory in the user’s home directory on all operating systems. For example, /home/user1 on Linux or C: on Windows.

Project-specific tooling

For project-specific tooling, dotnet restore first restores the package in which the tool is packed, and then proceeds to restore the tool’s dependencies as specified in its project file.

nuget.config differences

The behavior of the dotnet restore command is affected by the settings in the nuget.config file, if present. For example, setting the globalPackagesFolder in nuget.config places the restored NuGet packages in the specified folder. This is an alternative to specifying the --packages option on the dotnet restore command. For more information, see the nuget.config reference.

There are three specific settings that dotnet restore ignores:

  • bindingRedirects

    Binding redirects don’t work with <PackageReference> elements and .NET only supports <PackageReference> elements for NuGet packages.

  • solution

    This setting is Visual Studio specific and doesn’t apply to .NET. .NET doesn’t use a packages.config file and instead uses <PackageReference> elements for NuGet packages.

  • trustedSigners

    Support for cross-platform package signature verification was added in the .NET 5.0.100 SDK.

Workload manifest downloads

When you run this command, it initiates an asynchronous background download of advertising manifests for workloads. If the download is still running when this command finishes, the download is stopped. For more information, see Advertising manifests.

Arguments

Options

Examples

Audit for security vulnerabilities

Starting in .NET 8, dotnet restore includes NuGet security auditing. This auditing produces a report of security vulnerabilities with the affected package name, the severity of the vulnerability, and a link to the advisory for more details.

To opt out of the security auditing, set the <NuGetAudit> MSBuild property to false in your project file.

To retrieve the known vulnerability dataset, ensure that you have the NuGet.org central registry defined as one of your package sources:

<packageSources>
    <add key="nuget.org" value="https://api.nuget.org/v3/index.json" protocolVersion="3" />
</packageSources>

You can configure the level at which auditing will fail by setting the <NuGetAuditLevel> MSBuild property. Possible values are low, moderate, high, and critical. For example if you only want to see moderate, high, and critical advisories, you can set the property to moderate.

Starting in .NET 9, NuGet audits both direct and transitive package references, by default. In .NET 8, only direct package references are audited. You can change the mode by setting the <NuGetAuditMode> MSBuild property to direct or all.

For more information, see Auditing package dependencies for security vulnerabilities.

Info

2024-10-02 .NET Documentation