Proj0040: Run NuGet security audits on transitive dependencies too
When enabled, GitHub’s vulnerability database is consulted to
check for security issues that come with using any of the referenced packages.
By default (this will change for .NET 10 and up) only direct dependencies are
taken into consideration. This rule advises to include transitive dependencies too by setting
<NuGetAuditMode>
to all.
More information: learn.microsoft.com/nuget/concepts/auditing-packages
Non-compliant
<Project Sdk="Microsoft.NET.Sdk">
<PropertyGroup>
<TargetFramework>net9.0</TargetFramework>
<NuGetAuditMode>Direct</NuGetAuditMode>
</PropertyGroup>
</Project>
Compliant
<Project Sdk="Microsoft.NET.Sdk">
<PropertyGroup>
<TargetFramework>net9.0</TargetFramework>
<NuGetAuditMode>All</NuGetAuditMode>
</PropertyGroup>
</Project>