diff --git a/docs/core/compatibility/8.0.md b/docs/core/compatibility/8.0.md index 6c56c864ba3aa..5589d1c706834 100644 --- a/docs/core/compatibility/8.0.md +++ b/docs/core/compatibility/8.0.md @@ -141,6 +141,7 @@ If you're migrating an app to .NET 8, the breaking changes listed here might aff | [Runtime-specific apps not self-contained](sdk/8.0/runtimespecific-app-default.md) | Source/binary incompatible | | [--arch option doesn't imply self-contained](sdk/8.0/arch-option.md) | Behavioral change | | ['dotnet restore' produces security vulnerability warnings](sdk/8.0/dotnet-restore-audit.md) | Behavioral change | +| ['dotnet list package' warns if source doesn't provide vulnerability data](sdk/8.0/dotnet-list-package-audit-source-warning.md) | Behavioral change | | [SDK uses a smaller RID graph](sdk/8.0/rid-graph.md) | Behavioral change/Source incompatible | | [Setting DebugSymbols to false disables PDB generation](sdk/8.0/debugsymbols.md) | Behavioral change | | [Source Link included in the .NET SDK](sdk/8.0/source-link.md) | Source incompatible | diff --git a/docs/core/compatibility/sdk/8.0/dotnet-list-package-audit-source-warning.md b/docs/core/compatibility/sdk/8.0/dotnet-list-package-audit-source-warning.md new file mode 100644 index 0000000000000..6bccfc72764ff --- /dev/null +++ b/docs/core/compatibility/sdk/8.0/dotnet-list-package-audit-source-warning.md @@ -0,0 +1,42 @@ +--- +title: "Breaking change: 'dotnet list package' warns if source doesn't provide vulnerability data" +description: "Learn about the breaking change in .NET 8 where 'dotnet list package --vulnerable' emits a warning when audit sources don't support VulnerabilityInfoResource." +ms.date: 09/29/2025 +ai-usage: ai-assisted +ms.custom: https://github.com/dotnet/docs/issues/42608 +--- +# 'dotnet list package' warns if source doesn't provide vulnerability data + +When using `dotnet list package --vulnerable`, if a configured `auditsources` doesn't support `VulnerabilityInfoResource`, a warning is now shown to inform the user that the source doesn't provide vulnerability data. + +## Version introduced + +.NET 8 + +## Previous behavior + +Previously, the command silently skipped `auditsource` sources that lacked vulnerability information. + +## New behavior + +Starting in .NET 8, the command emits a warning: + +> Audit source '{0}' did not provide any vulnerability data. + +This warning helps users understand why certain sources might not influence the reported vulnerabilities. + +## Type of breaking change + +This is a [behavioral change](../../categories.md#behavioral-change). + +## Reason for change + +This warning came as part of the work to allow customers to use `auditsources` when running the `dotnet list package` command. The warning helps users understand when configured audit sources don't provide the expected vulnerability information. + +## Recommended action + +Check the specified `auditsources` to ensure it supports `VulnerabilityInfoResource`. If it doesn't, either update the source or replace it with one that provides vulnerability data. + +## Affected APIs + +None. diff --git a/docs/core/compatibility/toc.yml b/docs/core/compatibility/toc.yml index 33939a4065721..7014be6aa0351 100644 --- a/docs/core/compatibility/toc.yml +++ b/docs/core/compatibility/toc.yml @@ -484,6 +484,8 @@ items: href: sdk/8.0/dotnet-publish-config.md - name: "'dotnet restore' produces security vulnerability warnings" href: sdk/8.0/dotnet-restore-audit.md + - name: "'dotnet list package' warns if source doesn't provide vulnerability data" + href: sdk/8.0/dotnet-list-package-audit-source-warning.md - name: Duplicate output for -getItem, -getProperty, and -getTargetResult href: sdk/8.0/getx-duplicate-output.md - name: Implicit `using` for System.Net.Http no longer added