Update: project.json has been replaced with .csproj as the main project file for .NET Standard projects. This question refers to the old system before the introduction of PackageReference in NuGet 4.0.
You may still occasionally see project.lock.json as an artifact of the build process, but it should be ignored. Managing the NuGet packages that your .NET Standard/.NET Core project depends on should always be done by either
- Editing the
.csprojfile directly - Using the dotnet CLI (
dotnet add package, etc) - Using the Package Manager GUI if you’re using Visual Studio
Old answer for posterity: project.lock.json is generated by the .NET tooling when you restore the project’s packages. You shouldn’t touch it or check it into source control. Edit project.json directly.
During the package restore process (dotnet restore), NuGet has to analyze the dependencies in your project, walk their dependency graphs, and figure out what packages should be installed for your project and your project’s dependencies.
This is a non-trivial amount of work, so the results are cached in project.lock.json to make subsequent restores faster and more efficient. The lock file will be regenerated if project.json is modified and dotnet restore is executed again.