dotnet list package: Audit Dependencies in CI
dotnet list package lists a project's package references, and with flags reports which are outdated, vulnerable, or deprecated.
This is the built-in dependency audit. In CI it doubles as a lightweight security gate against known-vulnerable packages.
What it does
dotnet list package prints the direct (and optionally transitive) package references for a project or solution. --vulnerable queries advisory data, --outdated compares against the latest versions, and --deprecated flags packages marked deprecated by their authors.
Common usage
dotnet list package
dotnet list package --vulnerable --include-transitive
dotnet list package --outdated
dotnet list package --deprecatedOptions
| Flag | What it does |
|---|---|
| --vulnerable | List packages with known vulnerabilities |
| --outdated | List packages with a newer version available |
| --deprecated | List packages marked deprecated |
| --include-transitive | Include indirect dependencies, not just direct ones |
| --format json | Emit machine-readable JSON (newer SDKs) |
In CI
Run dotnet list package --vulnerable --include-transitive and fail the job if it reports anything. The command itself exits 0 even when it finds vulnerabilities, so grep the output (for "has the following vulnerable packages") or parse --format json and set the exit code yourself. It needs network access to the advisory and version feeds.
Common errors in CI
"The given project ... has no vulnerable packages" is the all-clear; the command exits 0 either way, so a naive pipeline never catches a vulnerability unless you check the output. NU1100/NU1301 here mean the audit feed is unreachable, which on --vulnerable/--outdated produces no results rather than an obvious failure; ensure egress to the NuGet feeds.