Describe the bug

The deps.json file contains entries that are development-only and which shouldn't leak into shipping output artifacts.

The ExcludeFromCompilation property exists and checked in multiple places but never gets set. I then noticed that the code that sets it got removed in Unify more build and publish logic by dsplaisted · Pull Request #3348 · dotnet/sdk (github.com).

This might have worked before and got broken by this change.

To Reproduce

<Project Sdk="Microsoft.NET.Sdk">
 
  <PropertyGroup>
    <TargetFramework>net7.0</TargetFramework>
    <ImplicitUsings>enable</ImplicitUsings>
    <Nullable>enable</Nullable>
  </PropertyGroup>
 
  <ItemGroup>
    <PackageReference Include="Nerdbank.GitVersioning" Version="3.7.48-alpha" PrivateAssets="all" />
  </ItemGroup>
 
</Project>

1. dotnet new console
2. Add the PackageReference item from above.
3. dotnet build
4. Observe the generated deps.json file in the output directory.
5. Find NerdBank.GitVersioning in the deps.json file.

Note that PrivateAssets metadata isn't even required on this package reference as the package is marked as developmentDependency in its nuspec. This also reproduces with any other development only package, i.e. Microsoft.DotNet.XliffTasks. I.e. look at the dotnet.deps.json file in the sdk folder. It lists XliffTasks. These packages aren't compile or runtime dependencies, they extend the build process.

The loader ignores the empty entry and hence doesn't try to resolve the dependency from disk.

Further technical details

.NET 8.0.201 SDK

cc @dsplaisted