diff --git a/pkgs/build-support/dotnet/add-nuget-deps/default.nix b/pkgs/build-support/dotnet/add-nuget-deps/default.nix
index 613acc8132ac..bf3df815af8a 100644
--- a/pkgs/build-support/dotnet/add-nuget-deps/default.nix
+++ b/pkgs/build-support/dotnet/add-nuget-deps/default.nix
@@ -66,27 +66,32 @@ attrs
             src = ./fetch-deps.sh;
             isExecutable = true;
             inherit cacert;
-            defaultDepsFile =
-              # Wire in the depsFile such that running the script with no args
-              # runs it agains the correct deps file by default.
-              # Note that toString is necessary here as it results in the path at
-              # eval time (i.e. to the file in your local Nixpkgs checkout) rather
-              # than the Nix store path of the path after it's been imported.
-              if lib.isPath nugetDeps && !lib.isStorePath nugetDeps then
-                toString nugetDeps
-              else
-                ''$(mktemp -t "${finalAttrs.pname or finalPackage.name}-deps-XXXXXX.nix")'';
             nugetToNix = nuget-to-nix;
           };
 
+          defaultDepsFile =
+            # Wire in the depsFile such that running the script with no args
+            # runs it agains the correct deps file by default.
+            # Note that toString is necessary here as it results in the path at
+            # eval time (i.e. to the file in your local Nixpkgs checkout) rather
+            # than the Nix store path of the path after it's been imported.
+            if lib.isPath nugetDeps && !lib.isStorePath nugetDeps then
+              toString nugetDeps
+            else
+              ''$(mktemp -t "${finalAttrs.pname or finalPackage.name}-deps-XXXXXX.nix")'';
+
         in
         writeShellScript "${finalPackage.name}-fetch-deps" ''
           set -eu
 
           echo 'fetching dependencies for' ${lib.escapeShellArg finalPackage.name} >&2
 
+          # this needs to be before TMPDIR is changed, so the output isn't deleted
+          # if it uses mktemp
+          depsFile=$(realpath "''${1:-${lib.escapeShellArg defaultDepsFile}}")
+
           export TMPDIR
-          TMPDIR=$(mktemp -d -t fetch-deps-${finalPackage.name}.XXXXXX)
+          TMPDIR=$(mktemp -d -t fetch-deps-${lib.escapeShellArg finalPackage.name}.XXXXXX)
           trap 'chmod -R +w "$TMPDIR" && rm -fr "$TMPDIR"' EXIT
 
           export NUGET_HTTP_CACHE_PATH=''${NUGET_HTTP_CACHE_PATH-~/.local/share/NuGet/v3-cache}
@@ -96,8 +101,8 @@ attrs
 
           cd "$TMPDIR"
 
-          NIX_BUILD_SHELL="${runtimeShell}" ${nix}/bin/nix-shell \
-            --pure --keep NUGET_HTTP_CACHE_PATH --run 'source "${innerScript}"' "${drv}"
+          NIX_BUILD_SHELL=${lib.escapeShellArg runtimeShell} ${nix}/bin/nix-shell \
+            --pure --keep NUGET_HTTP_CACHE_PATH --run 'source '${lib.escapeShellArg innerScript}' '"''${depsFile@Q}" "${drv}"
         '';
     };
 }
diff --git a/pkgs/build-support/dotnet/add-nuget-deps/fetch-deps.sh b/pkgs/build-support/dotnet/add-nuget-deps/fetch-deps.sh
index 287d808532df..af560b96fcd5 100644
--- a/pkgs/build-support/dotnet/add-nuget-deps/fetch-deps.sh
+++ b/pkgs/build-support/dotnet/add-nuget-deps/fetch-deps.sh
@@ -2,12 +2,10 @@ set -e
 
 genericBuild
 
-depsFile=$(realpath "${1:-@defaultDepsFile@}")
-
 (
     echo -e "# This file was automatically generated by passthru.fetch-deps.\n# Please dont edit it manually, your changes might get overwritten!\n"
     @nugetToNix@/bin/nuget-to-nix "${NUGET_PACKAGES%/}"
 ) > deps.nix
 
-mv deps.nix "$depsFile"
-echo "Succesfully wrote lockfile to $depsFile"
+mv deps.nix "$1"
+echo "Succesfully wrote lockfile to $1"