Skip to content

Add breaking change documentation for new dotnet list package audit source warning #48779

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 5 commits into from
Sep 30, 2025
Merged

Add breaking change documentation for new dotnet list package audit source warning #48779

merged 5 commits into from
Sep 30, 2025
+45 −0

Conversation

Copilot
Copy link
Contributor

@Copilot Copilot AI commented Sep 29, 2025
edited by gewarren
Loading

This PR adds documentation for a breaking change introduced in .NET 8 where the dotnet list package --vulnerable command now emits a warning when configured audit sources don't support the VulnerabilityInfoResource.

What changed

In .NET 8, when using dotnet list package --vulnerable, if a configured auditsources does not support the VulnerabilityInfoResource, the command now shows:

Audit source '{source_name}' did not provide any vulnerability data.

Previously, the command would silently skip audit sources that lacked vulnerability information.

Documentation added

  • Breaking change document: /docs/core/compatibility/sdk/8.0/dotnet-list-package-audit-source-warning.md
  • TOC entry: Added to the SDK 8.0 section in toc.yml
  • Index entry: Added to the SDK section in 8.0.md categorized as "Behavioral change"

The documentation follows the established breaking change template and provides clear guidance for developers who encounter this new warning.

Related work

This change was implemented as part of NuGet.Client PR #6237 to enhance dotnet list package functionality with audit source support.

Original prompt

This section details on the original issue you should resolve

<issue_title>[Breaking change]: New warning introduced in dotnet list package command.</issue_title>
<issue_description>### Description

When using dotnet list package --vulnerable, if a configured auditsources does not support the VulnerabilityInfoResource, a warning is now shown to inform the user that the source does not provide vulnerability data.

Version

.NET 8

Previous behavior

The command would silently skip auditsources that lacked vulnerability information, because the command did not use auditsources as a source of vulnerability data.

New behavior

The command now emits a warning:
Audit source '{0}' did not provide any vulnerability data.
This helps users understand why certain sources may not influence the reported vulnerabilities.

Type of breaking change

  • Binary incompatible: Existing binaries might encounter a breaking change in behavior, such as failure to load or execute, and if so, require recompilation.
  • Source incompatible: When recompiled using the new SDK or component or to target the new runtime, existing source code might require source changes to compile successfully.
  • Behavioral change: Existing binaries might behave differently at run time.

Reason for change

This warning came as part of the work we did to allow customers use auditsources when running dotnet package list command.

Recommended action

Check the specified auditsources to ensure it supports the VulnerabilityInfoResource. If it doesn't, either update the source or replace it with one that provides vulnerability data.

Feature area

SDK

Affected APIs

No response

Associated WorkItem - 429707</issue_description>

Comments on the Issue (you are @copilot in this section)

@Nigusu-Allehu changes in https://github.com/NuGet/NuGet.Client/pull/6237
Fixes #46042

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

Internal previews

📄 File 🔗 Preview link
docs/core/compatibility/8.0.md Breaking changes in .NET 8
docs/core/compatibility/sdk/8.0/dotnet-list-package-audit-source-warning.md 'dotnet list package' warns if source doesn't provide vulnerability data
docs/core/compatibility/toc.yml docs/core/compatibility/toc

@Copilot Copilot AI changed the title [WIP] [Breaking change]: New warning introduced in dotnet list package command. Add breaking change documentation for new dotnet list package audit source warning Sep 29, 2025
@Copilot Copilot AI requested a review from gewarren September 29, 2025 17:18
Copilot finished work on behalf of gewarren September 29, 2025 17:18
@gewarren gewarren marked this pull request as ready for review September 29, 2025 23:51
@gewarren gewarren requested a review from a team as a code owner September 29, 2025 23:51
@Nigusu-Allehu
Copy link
Member

The first issue being fixed in the PR description looks unrelated

@gewarren gewarren merged commit e8cd6a1 into main Sep 30, 2025
11 checks passed
@gewarren gewarren deleted the copilot/fix-4070d935-6607-4fe1-ada5-d81cef45d8ca branch September 30, 2025 19:28
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@meaghanlewis meaghanlewis meaghanlewis approved these changes

@Nigusu-Allehu Nigusu-Allehu Awaiting requested review from Nigusu-Allehu

+1 more reviewer

@gewarren gewarren gewarren approved these changes

Reviewers whose approvals may not affect merge requirements
Assignees

@gewarren gewarren

Copilot code review Copilot

Labels
dotnet-fundamentals/svc
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[Breaking change]: New warning introduced in dotnet list package command.
4 participants
@Copilot @Nigusu-Allehu @meaghanlewis @gewarren