dotnet list package --vulnerable ignores auditSources in NuGet.Config

[rcocks-hl]

I have <auditSources> defined in my NuGet.Config file as:

  <auditSources>
        <clear />
        <add key="nuget.org" value="https://api.nuget.org/v3/index.json" />
  </auditSources>

When I run: dotnet list package --vulnerable , it fails because it still tries to contact my private package source defined in packageSources.

Is there a way so that it only audits from the auditSources when running dotnet list package --vulnerable?

[KalleOlaviNiemitalo]

In my opinion, this should be doable by using dotnet list package --vulnerable --source DIR where DIR is the path of an empty directory; --source should then override packageSources but not auditSources. However, according to the dotnet list package documentation, that doesn't work: --source requires either --outdated or --deprecated, and neither of those can be combined with --vulnerable.

[dotnet-policy-service]

Thanks for creating this issue! We believe this issue is related to NuGet tooling, which is maintained by the NuGet team. Thus, we closed this one and encourage you to raise this issue in the NuGet repository instead. Don’t forget to check out NuGet’s contributing guide before submitting an issue!

If you believe this issue was closed out of error, please comment to let us know.

Happy Coding!

[rcocks-hl]

Sorry, I thought I was in that repo, creating in there.

Update: Looks like it exists already as NuGet/Home#13767