NuGet Product(s) Affected

NuGet.exe, MSBuild.exe

Current Behavior

NuGetAuditMode defaults to direct ever since the feature was introduced in VS17.8.

Desired Behavior

Change the default to all, so that customers get warned about transitive packages with known vulnerabilities, in addition to direct packages. Note that this default has already been changed for SDK style projects using the .NET 9 SDK.

NOTE ON BREAKING CHANGE

NuGetAudit raises warnings when packages with vulnerabilities are found. But many people use "treat errors as warnings", so it will give the appearance of a breaking change. Therefore, I've labeled this issue as "breaking change", even though it's technically not, in order to raise visibility.

Additional Context

Just like the .NET 9 SDK NuGetAuditMode defaults change, non-SDK style customers must be able to configure their project to use direct, and we should respect SdkAnalysisLevel even for non-SDK style projects, so that custoemrs can set it in a repo level Directory.Build.props and have it apply to non-SDK style projects, in addition to SDK style projects.

For more information on NuGetAudit, including TreatWarningsNotAsErrors, see our docs on the feature: https://learn.microsoft.com/nuget/concepts/auditing-packages