All skills
Skillintermediate

Security Audit for Dependencies

Audit .NET project dependencies for security vulnerabilities, outdated packages, and deprecated libraries.

Claude Code Knowledge Pack7/10/2026

Overview

Security Audit for Dependencies

Audit .NET project dependencies for security vulnerabilities, outdated packages, and deprecated libraries.

Vulnerable Packages

Find packages with known security vulnerabilities:

# Check for vulnerable packages
dotnet list package --vulnerable

# Include transitive dependencies
dotnet list package --vulnerable --include-transitive

# JSON output for CI/CD
dotnet list package --vulnerable --format json

Requirements: .NET SDK 9.0.300+ for vulnerability scanning.

Outdated Packages

Using built-in commands

# Find packages with newer versions
dotnet list package --outdated

# Include prerelease versions
dotnet list package --outdated --include-prerelease

# Limit to patch updates only (same major.minor)
dotnet list package --outdated --highest-patch

# Limit to minor updates only (same major)
dotnet list package --outdated --highest-minor

# JSON output
dotnet list package --outdated --format json

Using dotnet outdated (Third-party)

Install: dotnet tool install -g dotnet-outdated-tool

# Check for outdated packages (nicer output)
dotnet outdated

# Auto-update all packages to latest
dotnet outdated -u

# Include specific packages only
dotnet outdated -u -inc PackageName

# Exclude specific packages
dotnet outdated -u -exc PackageName

# Update to highest minor version only
dotnet outdated -u -vl Minor

# Update to highest patch version only
dotnet outdated -u -vl Patch

Deprecated Packages

# Find deprecated packages
dotnet list package --deprecated

# Include transitive dependencies
dotnet list package --deprecated --include-transitive

Framework-Specific Auditing

# Audit specific framework only
dotnet list package --outdated --framework net8.0
dotnet list package --vulnerable --framework net8.0

CI/CD Integration

Generate JSON reports for automated pipelines:

# Full security report
dotnet list package --vulnerable --include-transitive --format json > vulnerable.json
dotnet list package --outdated --format json > outdated.json
dotnet list package --deprecated --format json > deprecated.json

Combined Workflow

For a comprehensive security audit:

# 1. Check for vulnerabilities (critical)
dotnet list package --vulnerable --include-transitive

# 2. Check for deprecated packages
dotnet list package --deprecated

# 3. Check for outdated packages
dotnet list package --outdated

# 4. Update packages (using dotnet outdated)
dotnet outdated -u

Package Source Configuration

Vulnerability data comes from configured NuGet sources. Ensure your nuget.config includes vulnerability-aware sources:

<configuration>
  <packageSources>
    <add key="nuget.org" value="https://api.nuget.org/v3/index.json" />
  </packageSources>
  <auditSources>
    <add key="nuget.org" value="https://api.nuget.org/v3/index.json" />
  </auditSources>
</configuration>

References