dotnet · gewarren · Sep 30, 2025 · Sep 29, 2025 · Sep 29, 2025 · Sep 29, 2025
@@ -141,6 +141,7 @@ If you're migrating an app to .NET 8, the breaking changes listed here might aff
 | [Runtime-specific apps not self-contained](sdk/8.0/runtimespecific-app-default.md)             | Source/binary incompatible                       |
 | [--arch option doesn't imply self-contained](sdk/8.0/arch-option.md)                           | Behavioral change                                |
 | ['dotnet restore' produces security vulnerability warnings](sdk/8.0/dotnet-restore-audit.md)   | Behavioral change                                |
+| ['dotnet list package' warns if source doesn't provide vulnerability data](sdk/8.0/dotnet-list-package-audit-source-warning.md) | Behavioral change                                |
 | [SDK uses a smaller RID graph](sdk/8.0/rid-graph.md)                                           | Behavioral change/Source incompatible            |
 | [Setting DebugSymbols to false disables PDB generation](sdk/8.0/debugsymbols.md)               | Behavioral change                                |
 | [Source Link included in the .NET SDK](sdk/8.0/source-link.md)                                 | Source incompatible                              |

@@ -0,0 +1,42 @@
+---
+title: "Breaking change: 'dotnet list package' warns if source doesn't provide vulnerability data"
+description: "Learn about the breaking change in .NET 8 where 'dotnet list package --vulnerable' emits a warning when audit sources don't support VulnerabilityInfoResource."
+ms.date: 09/29/2025
+ai-usage: ai-assisted
+ms.custom: https://github.com/dotnet/docs/issues/42608
+---
+# 'dotnet list package' warns if source doesn't provide vulnerability data
+
+When using `dotnet list package --vulnerable`, if a configured `auditsources` doesn't support `VulnerabilityInfoResource`, a warning is now shown to inform the user that the source doesn't provide vulnerability data.
+
+## Version introduced
+
+.NET 8
+
+## Previous behavior
+
+Previously, the command silently skipped `auditsource` sources that lacked vulnerability information.
+
+## New behavior
+
+Starting in .NET 8, the command emits a warning:
+
+> Audit source '{0}' did not provide any vulnerability data.
+
+This warning helps users understand why certain sources might not influence the reported vulnerabilities.
+
+## Type of breaking change
+
+This is a [behavioral change](../../categories.md#behavioral-change).
+
+## Reason for change
+
+This warning came as part of the work to allow customers to use `auditsources` when running the `dotnet list package` command. The warning helps users understand when configured audit sources don't provide the expected vulnerability information.
+
+## Recommended action
+
+Check the specified `auditsources` to ensure it supports `VulnerabilityInfoResource`. If it doesn't, either update the source or replace it with one that provides vulnerability data.
+
+## Affected APIs
+
+None.
@@ -484,6 +484,8 @@ items:
                 href: sdk/8.0/dotnet-publish-config.md
               - name: "'dotnet restore' produces security vulnerability warnings"
                 href: sdk/8.0/dotnet-restore-audit.md
+              - name: "'dotnet list package' warns if source doesn't provide vulnerability data"
+                href: sdk/8.0/dotnet-list-package-audit-source-warning.md
               - name: Duplicate output for -getItem, -getProperty, and -getTargetResult
                 href: sdk/8.0/getx-duplicate-output.md
               - name: Implicit `using` for System.Net.Http no longer added