Vulnerability in EPiServer.Forms
This topic has been discussed quite a bit but I want to pose the question again for the latest versions of EPiServer (8) and Nuget (2.8.3). Is it required to add the EPiServer Nuget packages to Source Control if we would like a working site after a fresh pull?
I'm working on a new EPiServer Commerce site where the client is using Git and doesn't want to fill up the repo with the extraneous files needed for the EPiServer CMS and EPiServer Commerce backends. With recent versions of Nuget, packages will be automatically restored before a build (I'm not talking about Nuget Package Restore). So in theory, as long as you add the correct nuget.config, respository.config and packages.config(s) to source control, the packages should all be restored upon build.
We couldn't quite get this working though:
For EPiServer CMS:
The packages where all installed to our repository path but none of the protected modules were added to modules/_protectedmodules. Can this happen during a Nuget restore? Or will this only happen when you install the package explicitly?
For EPiServer Commerce:
This was much the same, all the references and packages were installed but none of the application files (Apps, App_GlobalResources) where added to the site. Is this supposed to happen through a restore?
Finally, out of curiosity, would be possible to set up EPiServer Add-Ons to automatically restore as well? I can't really see how that would work since the packages.config is separate to the other packages.config and doesn't seem to be tied into the Nuget configuration at all.
Restoring packages is different from installing (or updating) packages. Restore basically means to download and unzip the nupkgs into the packages folder. All other changes (add content files like the protected module zips, modify assembly binding redirects and other config, add references to project...) only happen on install, and therefore need to be commited to source control. (The local db files are a special case, depending on whether you've moved and attached them to a sql server instance etc.)