support for listing references into csproj from commandline(s)

[rrelyea]

splitting off from #3751 - which now just covers the add side of this work

Spec draft: https://github.com/NuGet/Home/wiki/Support-dotnet-ref-add%7Cupdate%7Cdelete-packageref

[anangaur]

I cannot find the the spec draft here: https://github.com/NuGet/Home/wiki/Support-dotnet-ref-add%7Cupdate%7Cdelete-packageref Has the url changed?

[mishra14]

Spec - https://github.com/NuGet/Home/wiki/Support-dotnet-add,-update,-remove-pkg

Though it is out of date a bit.

[mishra14]

feature request from: #5199

Maybe list should have an option for displaying all out of date packages.

[johnkors]

Id love to use this listing feature programatically in a tool I'm building.

Given a packageId,
provide me all packages having this package as a dependency recursively up to either a direct reference added by the user, or a SDK package implicitly added by the CLI (meta packages, like Microsoft.NetCore.App or NETStandard.Library).

My use case is I'm scanning for usages of vulnerable nugets (direct/transient deps), and I want to give feedback on the full dependency chain if any vulnerable dep is found so it's easier for users to know where to take action.

https://github.com/RetireNet/dotnet-retire

Atm I'm manually parsing the project.assets.json file and building up a separate object graph (no dep to the Nuget.Client library) . It would make my life alot easier if this was available in the client libraries instead.

Oh, and if such a feature already exist, please do tell! Could not find it in any doc or via looking at the source code / PRs.

[lambdakris]

Hey, wondering what is the status of this? It has been awhile and the absence is still felt, especially if working with dotnet cli and vs code. Hope it makes it within the 15.5 timeframe...

[benjamin-bader]

I'd love to have this command at the moment. I've just learned that some transitive dependency of my project has a vulnerability, but without a way to list all direct and transitive package dependencies, I have no good way to verify that I'm no longer using the vulnerable version.

Would you be willing to accept a PR for this? This issue has been open for a long time, and I'd be happy to help.

[cwe1ss]

@benjamin-bader there's a nice .net core global tool for listing outdated references: https://github.com/jerriep/dotnet-outdated

[anangaur]

@benjamin-bader As @cwe1ss mentioned, https://github.com/jerriep/dotnet-outdated is a nice global tool to help you. NuGet team is also working on an outdated command as specified here: Show outdated packages -- NuGet issue #5762

[benjamin-bader]

Thanks, folks, I'll give it a try. Glad to hear that nuget will support this natively.

[tillig]

Wiki URL seems to have changed again. https://github.com/NuGet/Home/wiki/Support-dotnet-add,-update,-remove-pkg

[mishra14]

@tillig Thanks. I have updated the link. :)

[rrelyea]

Shipped dotnet list package support in dotnet sdk 2.2.100.