NuGet · Nigusu-Allehu · Nov 7, 2025 · Nov 7, 2025 · Nov 7, 2025 · Nov 7, 2025
@@ -20,7 +20,7 @@ The goal of the audit is to identify and mitigate any security vulnerabilities t
 
 | NuGet | .NET SDK | Visual Studio | Feature |
 |-------|----------|---------------|---------|
-| [5.9](../release-notes/NuGet-5.9.md) | .NET 5 SDK (5.0.200) | N/A | [`dotnet list package --vulnerable`](#dotnet-list-package---vulnerable) |
+| [5.9](../release-notes/NuGet-5.9.md) | .NET 5 SDK (5.0.200) | N/A | [`dotnet package list --vulnerable`](#dotnet-list-package---vulnerable) |
 | [6.8](../release-notes/NuGet-6.8.md) | .NET 8 SDK (8.0.100) | Visual Studio 2022 17.8 | [NuGetAudit](#running-a-security-audit-with-restore) for PackageReference |
 | [6.10](../release-notes/NuGet-6.10.md) | N/A | Visual Studio 2022 17.10 | [NuGetAudit](#running-a-security-audit-with-restore) for packages.config|
 | [6.11](../release-notes/NuGet-6.11.md) | .NET 8 SDK (8.0.400) | Visual Studio 2022 17.11 | [NuGetAuditSuppress](#excluding-advisories) for PackageReference |
@@ -137,7 +137,7 @@ If security vulnerabilities are found and updates are available for the package,
 - Edit the `.csproj` or other package version location (`Directory.Packages.props`) with a newer version containing a security fix.
 - Use the NuGet package manager user interface in Visual Studio to update the individual package.
 - Run the `dotnet package update --vulnerable` command to update all vulnerable packages in a project to the first version without known vulnerabilities.
-- Run the `dotnet package update` or `dotnet package add` commands with the respective package ID to update to the latest version. Use [`dotnet add package` when using .NET 9 or earlier](/dotnet/core/whats-new/dotnet-10/sdk#more-consistent-command-order).
+- Run the `dotnet package update` or `dotnet package add` commands with the respective package ID to update to the latest version. Use [`dotnet package add` when using .NET 9 or earlier](/dotnet/core/whats-new/dotnet-10/sdk#more-consistent-command-order).
 - Use the NuGet Model Context Protocol (MCP) server that has the ability to update packages in your project to versions that resolve known vulnerabilities.
 See [Fixing package vulnerabilities](NuGet-MCP-Server.md#fixing-package-vulnerabilities) for more information.
 
@@ -289,7 +289,7 @@ Similarly, think about if you want this error to happen everywhere, or only in C
 Again, since MSBuild is a scripting language, you can use any of its capabilities to customize your repo however you want.
 Viewing [MSBuild's metaproj](/visualstudio/msbuild/how-to-build-specific-targets-in-solutions-by-using-msbuild-exe#troubleshooting) and [binlogs](/visualstudio/msbuild/msbuild-command-line-reference#switches-for-loggers) are useful to develop and troubleshoot solution level targets.
 
-## `dotnet list package --vulnerable`
+## `dotnet package list --vulnerable`
 
-[`dotnet list package`](/dotnet/core/tools/dotnet-list-package) has a `--vulnerable` argument to filter the packages based on which packages have known vulnerabilities.
+[`dotnet package list`](/dotnet/core/tools/dotnet-list-package) has a `--vulnerable` argument to filter the packages based on which packages have known vulnerabilities.
 Note that `--include-transitive` is not default, so should be included.
@@ -106,7 +106,7 @@ This is typically found in one of two places:
 
 Depending on what method you use to manage your NuGet dependencies, you can also use Visual Studio to view your dependencies directly in [Solution Explorer](/visualstudio/ide/solutions-and-projects-in-visual-studio#solution-explorer) or [NuGet Package Manager](../consume-packages/install-use-packages-visual-studio.md).
 
-For CLI environments, you can use the [`dotnet list package` command](/dotnet/core/tools/dotnet-list-package) to list out your project or solution’s dependencies.
+For CLI environments, you can use the [`dotnet package list` command](/dotnet/core/tools/dotnet-package-list) to list out your project or solution’s dependencies.
 You can also use the [`dotnet nuget why` command](/dotnet/core/tools/dotnet-nuget-why) to understand why transitive packages (those not directly referenced by your project) are being included in your project's package graph.
 
 For more information on managing NuGet dependencies, [see the following documentation](../consume-packages/overview-and-workflow.md).
@@ -140,7 +140,7 @@ This may include:
 **📦 Package Consumer | 📦🖊 Package Author**
 
 You can use the [dotnet CLI](/dotnet/core/tools/dotnet-list-package) to list any known deprecated or vulnerable dependencies you may have inside your project or solution.
-You can use the command `dotnet list package --deprecated` or `dotnet list package --vulnerable` to provide you a list of any known deprecations or vulnerabilities.
+You can use the command `dotnet package list --deprecated` or `dotnet package list --vulnerable` to provide you a list of any known deprecations or vulnerabilities.
 [NuGetAudit](Auditing-Packages.md) can warn you about known vulnerable dependencies, and is enabled by default when [a source provides a vulnerabilities database](Auditing-Packages.md#audit-sources).
 
 ### GitHub vulnerable dependencies

@@ -20,7 +20,7 @@ The general process is as follows:
 2. Acquire the package:
    - Check if the package (by exact identifer and version number) is already installed in the *global-packages* folder as described on [Managing the global packages and cache folders](../consume-packages/managing-the-global-packages-and-cache-folders.md).
 
-   - If the package is not in the *global-packages* folder, attempt to retrieve it from the sources listed in the [configuration files](../consume-packages/Configuring-NuGet-Behavior.md). [Package Source Mapping](../consume-packages/package-source-mapping.md) configurations are applied at this point. For online sources, attempt first to retrieve the package from the HTTP cache unless `-NoHttpCache` is specified with `nuget.exe` commands or `--no-http-cache` is specified with `dotnet restore`. (Visual Studio and `dotnet add package` always use the cache.) If a package is used from the cache, "CACHE" appears in the output. The cache has an expiration time of 30 minutes.
+   - If the package is not in the *global-packages* folder, attempt to retrieve it from the sources listed in the [configuration files](../consume-packages/Configuring-NuGet-Behavior.md). [Package Source Mapping](../consume-packages/package-source-mapping.md) configurations are applied at this point. For online sources, attempt first to retrieve the package from the HTTP cache unless `-NoHttpCache` is specified with `nuget.exe` commands or `--no-http-cache` is specified with `dotnet restore`. (Visual Studio and `dotnet package add` always use the cache.) If a package is used from the cache, "CACHE" appears in the output. The cache has an expiration time of 30 minutes.
 
    - If the package has been specified using a [floating version](../consume-packages/Package-References-in-Project-Files.md#floating-versions), or without a minimum version, NuGet *will* contact all sources to figure out the best match.
    Example: `1.*`, `(, 2.0.0]`.

@@ -113,7 +113,7 @@ The Visual Studio Package Manager Console, NuGet CLI, and dotnet CLI tools don't
 
 - For the NuGet CLI, use the `-prerelease` switch with the `install`, `update`, `delete`, and `mirror` commands. For more information, see the [NuGet CLI reference](../reference/nuget-exe-cli-reference.md).
 
-- For the dotnet CLI, specify a prerelease version with the `-v` argument. For more information, see the [dotnet add package reference](/dotnet/core/tools/dotnet-add-package).
+- For the dotnet CLI, specify a prerelease version with the `-v` argument. For more information, see the [dotnet package reference add](/dotnet/core/tools/dotnet-add-package).
 
 <a name="native-cpp-packages"></a>
 ### Native C++ packages

@@ -123,7 +123,7 @@ If you see the error **This project references NuGet package(s) that are missing
 [!INCLUDE [restore-dotnet-cli](includes/restore-dotnet-cli.md)]
 
 > [!IMPORTANT]
-> To add a missing package reference to the project file, use [dotnet add package](/dotnet/core/tools/dotnet-add-package), which also runs `restore`.
+> To add a missing package reference to the project file, use [dotnet package add](/dotnet/core/tools/dotnet-package-add), which also runs `restore`.
 
 <a name="restore-using-the-nugetexe-cli"></a>
 

@@ -150,8 +150,7 @@ There are 2 ways you can fully onboard your repository, [manually](#manual-onboa
 For manual onboarding you may take the following steps:
 
 1. Declare a new [global packages folder for your repo](../reference/nuget-config-file.md#config-section).
-1. Run [dotnet restore](/dotnet/core/tools/dotnet-restore) to restore dependencies.
-1. Run [`dotnet list package --include-transitive`](/dotnet/core/tools/dotnet-list-package#synopsis) to view all top-level and transitive packages in your solution.
+1. Run [`dotnet package list --include-transitive`](/dotnet/core/tools/dotnet-package-list#synopsis) to view all top-level and transitive packages in your solution.
     * For .NET framework projects using [`packages.config`](../reference/packages-config.md), the `packages.config` file will have a flat list of all direct and transitive packages.
 1. Define mappings such that every package ID in your solution - _including transitive packages_ - matches a pattern for the target source.
 1. Run [dotnet nuget locals global-packages -c](/dotnet/core/tools/dotnet-nuget-locals) to clear global-packages directory.

@@ -37,7 +37,7 @@ All newly acquired PackageDownload packages will be installed in the global pack
 | pack | Included in the package specification | Not included in the package specification. |
 | Transitivity | PackageReference items are automatically propagated to dependant projects | PackageDownload items are ignored by dependant projects |
 | Version | Version ranges such as `1.0.0` or `[1.0.0, )` are supported. Exactly 1 version is allowed. | Only exact versions are supported. More than 1 version can be downloaded. |
-| dotnet list package | All dependencies are included | PackageDownload packages are not shown by `dotnet list package`. |
+| dotnet package list | All dependencies are included | PackageDownload packages are not shown by `dotnet package list`. |
 
 Due to the fact that PackageDownload are not tied to the project in any way beyond acquisition, multiple versions of the same package can be downloaded.
 
@@ -46,7 +46,7 @@ Due to the fact that PackageDownload are not tied to the project in any way beyo
 Given that this is an advanced feature with limited applicability, it doesn't have a tooling support equivalent to PackageReference.
 
 - There is no VisualStudio or dotnet.exe functionality to modify PackageDownload items. You can only change them manually in your project files.
-- dotnet add, remove, and list commands do not account for PackageDownload items.
+- dotnet package/reference add, remove, and list commands do not account for PackageDownload items.
 - PackageDownload items are *not* part of the [packages lock file](package-references-in-project-files.md#locking-dependencies).
 
 ### PackageDownload applications

@@ -21,20 +21,20 @@ For most commands, the CLI tool looks for a project file in the current director
 
 ## Install or update a package
 
-The [dotnet add package](/dotnet/core/tools/dotnet-add-package) command adds a package reference to the project file, and then runs `dotnet restore` to install the package.
+The [dotnet package add](/dotnet/core/tools/dotnet-package-add) command adds a package reference to the project file, and then runs `dotnet restore` to install the package.
 
 1. Open a command line and switch to the directory that contains your project file.
 
 1. Use the following command to install a NuGet package:
 
     ```dotnetcli
-    dotnet add package <PACKAGE_NAME>
+    dotnet package add <PACKAGE_NAME>
     ```
 
     For example, to install the `Newtonsoft.Json` package, use the following command
 
     ```dotnetcli
-    dotnet add package Newtonsoft.Json
+    dotnet package add Newtonsoft.Json
     ```
 
 1. After the command completes, you can open the project file to see the package reference.
@@ -49,40 +49,40 @@ The [dotnet add package](/dotnet/core/tools/dotnet-add-package) command adds a p
 
 ## Install a specific version of a package
 
-The `dotnet add package` command installs the latest version of the package unless you specify a different version.
+The `dotnet package add` command installs the latest version of the package unless you specify a different version.
 
 To install a specific version of a NuGet package, use the optional `-v` or `--version` switch:
 
 ```dotnetcli
-dotnet add package <PACKAGE_NAME> -v <VERSION>
+dotnet package add <PACKAGE_NAME> -v <VERSION>
 ```
 
 For example, to add version 12.0.1 of the `Newtonsoft.Json` package, use this command:
 
 ```dotnetcli
-dotnet add package Newtonsoft.Json --version 12.0.1
+dotnet package add Newtonsoft.Json --version 12.0.1
 ```
 
 ## List package references
 
-List the package references and versions for your project by using the [dotnet list package](/dotnet/core/tools/dotnet-list-package) command:
+List the package references and versions for your project by using the [dotnet package list](/dotnet/core/tools/dotnet-package-list) command:
 
 ```dotnetcli
-dotnet list package
+dotnet package list
 ```
 
 ## Remove a package
 
-Use the [dotnet remove package](/dotnet/core/tools/dotnet-remove-package) command to remove a package reference from the project file.
+Use the [dotnet package remove](/dotnet/core/tools/dotnet-package-remove) command to remove a package reference from the project file.
 
 ```dotnetcli
-dotnet remove package <PACKAGE_NAME>
+dotnet package remove <PACKAGE_NAME>
 ```
 
 For example, to remove the `Newtonsoft.Json` package, use the following command:
 
 ```dotnetcli
-dotnet remove package Newtonsoft.Json
+dotnet package remove Newtonsoft.Json
 ```
 
 ## Restore packages

@@ -47,10 +47,10 @@ Visual Studio warns about a deprecated package's usage on the `Installed` tab. I
 ### dotnet.exe
 *Available starting with .NET SDK 3.0*
 
-If you use dotnet.exe, you can run the command `dotnet list package --deprecated` on the solution or project folder to get a list of deprecated packages along with the deprecation information:
+If you use dotnet.exe, you can run the command `dotnet package list --deprecated` on the solution or project folder to get a list of deprecated packages along with the deprecation information:
 
 ```
-> dotnet list package --deprecated
+> dotnet package list --deprecated
 
 The following sources were used:
    https://api.nuget.org/v3/index.json

@@ -9,7 +9,7 @@ ms.topic: quickstart
 
 # Quickstart: Install and use a package with the dotnet CLI
 
-NuGet packages contain compiled binary code that developers make available for other developers to use in their projects. For more information, see [What is NuGet](../What-is-NuGet.md). This quickstart describes how to install the popular [Newtonsoft.Json](https://www.nuget.org/packages/Newtonsoft.Json) NuGet package into a .NET project by using the [dotnet add package](/dotnet/core/tools/dotnet-add-package) command.
+NuGet packages contain compiled binary code that developers make available for other developers to use in their projects. For more information, see [What is NuGet](../What-is-NuGet.md). This quickstart describes how to install the popular [Newtonsoft.Json](https://www.nuget.org/packages/Newtonsoft.Json) NuGet package into a .NET project by using the [dotnet package add](/dotnet/core/tools/dotnet-package-add) command.
 
 You refer to installed packages in code with a `using <namespace>` directive, where `<namespace>` is often the package name. You can then use the package's API in your project.
 
@@ -41,7 +41,7 @@ You can install NuGet packages into a .NET project. For this walkthrough, create
 1. Use the following command to install the `Newtonsoft.json` package:
 
     ```dotnetcli
-    dotnet add package Newtonsoft.Json
+    dotnet package add Newtonsoft.Json
     ```
 
 2. After the command completes, open the *Nuget.Quickstart.csproj* file in Visual Studio to see the added NuGet package reference:

@@ -59,7 +59,7 @@ NuGet's package maintenance approach will align with the [.NET Package Maintenan
 Install the `NuGet.Protocol` package to interact with HTTP and folder-based NuGet package feeds:
 
 ```ps1
-dotnet add package NuGet.Protocol
+dotnet package add NuGet.Protocol
 ```
 
 You can find the source code for these examples on the [NuGet.Protocol.Samples](https://github.com/NuGet/Samples/tree/main/NuGetProtocolSamples) project on GitHub.
@@ -119,7 +119,7 @@ Use [`NuGet.Protocol`](https://www.nuget.org/packages/NuGet.Protocol) to work wi
 Install the `NuGet.Packaging` package to interact with `.nupkg` and `.nuspec` files from a stream:
 
 ```ps1
-dotnet add package NuGet.Packaging
+dotnet package add NuGet.Packaging
 ```
 
 ### Create a package

@@ -17,8 +17,8 @@ For the complete command reference on `dotnet` CLI, see [.NET Core command-line
 
 ## Package consumption
 
-- [**dotnet add package**](/dotnet/core/tools/dotnet-add-package): Adds a package reference to the project file, then runs `dotnet restore` to install the package.
-- [**dotnet remove package**](/dotnet/core/tools/dotnet-remove-package): Removes a package reference from the project file.
+- [**dotnet package add**](/dotnet/core/tools/dotnet-package-add): Adds a package reference to the project file, then runs `dotnet restore` to install the package.
+- [**dotnet package remove**](/dotnet/core/tools/dotnet-package-remove): Removes a package reference from the project file.
 - [**dotnet restore**](/dotnet/core/tools/dotnet-restore?tabs=netcore2x): Restores the dependencies and tools of a project. As of NuGet 4.0, this runs the same code as `nuget restore`.
 - [**dotnet nuget locals**](/dotnet/core/tools/dotnet-nuget-locals): Lists locations of the *global-packages*, *http-cache*, and *temp* folders and clears the contents of those folders.
 - [**dotnet new nugetconfig**](/dotnet/core/tools/dotnet-new): Creates a [`nuget.config`](../reference/nuget-config-file.md) file to configure NuGet's behavior.

@@ -21,7 +21,7 @@ The authentication mechanism in dotnet.exe is device flow. When the restore or a
 When the user completes the authentication the operation will continue.
 
 To make the operation interactive, one should pass `--interactive`.
-Currently only the explicit `dotnet restore` and `dotnet add package` commands support an interactive switch.
+Currently only the explicit `dotnet restore` and `dotnet package add` commands support an interactive switch.
 There is no interactive switch on `dotnet build` and `dotnet publish`.
 
 ## Authentication in MSBuild