Change NuGetAuditMode default to all for non-SDK style projects
zivkan opened this issue · comments
NuGet Product(s) Affected
NuGet.exe, MSBuild.exe
Current Behavior
NuGetAuditMode
defaults to direct
ever since the feature was introduced in VS17.8.
Desired Behavior
Change the default to all
, so that customers get warned about transitive packages with known vulnerabilities, in addition to direct packages. Note that this default has already been changed for SDK style projects using the .NET 9 SDK.
NOTE ON BREAKING CHANGE
NuGetAudit raises warnings when packages with vulnerabilities are found. But many people use "treat errors as warnings", so it will give the appearance of a breaking change. Therefore, I've labeled this issue as "breaking change", even though it's technically not, in order to raise visibility.
Additional Context
Just like the .NET 9 SDK NuGetAuditMode defaults change, non-SDK style customers must be able to configure their project to use direct
, and we should respect SdkAnalysisLevel
even for non-SDK style projects, so that custoemrs can set it in a repo level Directory.Build.props and have it apply to non-SDK style projects, in addition to SDK style projects.
For more information on NuGetAudit, including TreatWarningsNotAsErrors
, see our docs on the feature: https://learn.microsoft.com/nuget/concepts/auditing-packages