dotnet list

Today's tip is about an interesting command. Many may already know it, but in my case, since I usually work with Visual Studio, where the NuGet package manager is integrated into the IDE, it’s easy to see information about updates or package vulnerabilities without using the command line.

However, recently, while using VS Code with WSL, I received a notification from GitHub Dependabot after running my code in the pipeline, informing me about package vulnerabilities in the project.

I tested some extensions for managing NuGet packages in VS Code, but none met my expectations. Finally, I discovered that this could be done directly via the command line.

The useful commands I found were:

dotnet list solution.sln package --vulnerable  
# or
dotnet list project.csproj package --vulnerable          

Project `ProjectName` has the following vulnerable packages
   [net8.0]:
   Top-level Package                          Requested   Resolved   Severity   Advisory URL

   > Microsoft.Extensions.Caching.Memory      8.0.0       8.0.0      High       https://github.com/advisories/GHSA-qj66-m88j-hmgj
   > Npgsql                                   8.0.2       8.0.2      High       https://github.com/advisories/GHSA-x9vc-6hfv-hg8c        

I found it interesting to check for vulnerabilities via the command line, as this allows for customizing parts of the deployment pipeline and preventing vulnerable code from being pushed to production.

See more: dotnet-list-package