dotnet-retire 1.0.4

There is a newer version of this package available.
See the version list below for details.

dotnet add package dotnet-retire --version 1.0.4

NuGet\Install-Package dotnet-retire -Version 1.0.4

This command is intended to be used within the Package Manager Console in Visual Studio, as it uses the NuGet module's version of Install-Package.

<PackageReference Include="dotnet-retire" Version="1.0.4" />

For projects that support PackageReference, copy this XML node into the project file to reference the package.

paket add dotnet-retire --version 1.0.4

The NuGet Team does not provide support for this client. Please contact its maintainers for support.

#r "nuget: dotnet-retire, 1.0.4"

#r directive can be used in F# Interactive and Polyglot Notebooks. Copy this into the interactive tool or source code of the script to reference the package.

// Install dotnet-retire as a Cake Addin
#addin nuget:?package=dotnet-retire&version=1.0.4

// Install dotnet-retire as a Cake Tool
#tool nuget:?package=dotnet-retire&version=1.0.4

The NuGet Team does not provide support for this client. Please contact its maintainers for support.

dotnet-retire

A dotnet CLI extension to check your project for known vulnerabilities.

Install

As the CLI don't currently allows us to install tools from the cmdline, you'll need to modify your csproj manually.

<ItemGroup>
  <DotNetCliToolReference Include="dotnet-retire" Version="1.0.1" />
</ItemGroup>

Or if your project is still using the preview2 tooling, modify your project.json

"tools": {
  "dotnet-retire": "1.0.1"
}

Usage

$ dotnet retire

Sample output:

How does it work?

It fetches the packages listed in the corresponding packages repo in this GitHub organization (link), and checks your projects obj\project.assets.json or project.lock.json file for any match (direct, or transient).

Keeping the list of packages up to date will be done via updating that repo when announcements occur from Microsoft with additional json files with links to announcements from Microsofts security team.

Other projects with similar functionality:

SafeNuGet

Runs as part of the build (MSBuild target). Analyzes packages.config, does not handle transient dependencies.

DevAudit

Standalone .NET console app that analyzes a packages.config. Analyzes packages.config, does not handle transient dependencies.

There are no supported framework assets in this package.

Learn more about Target Frameworks and .NET Standard.

.NETCoreApp 1.0
- Microsoft.Extensions.Configuration (>= 1.1.2)
- Microsoft.Extensions.Configuration.Binder (>= 1.1.2)
- Microsoft.Extensions.Configuration.Json (>= 1.1.2)
- Microsoft.Extensions.DependencyInjection (>= 1.1.0)
- Microsoft.Extensions.Logging (>= 1.1.2)
- Microsoft.Extensions.Logging.Console (>= 1.1.2)
- Microsoft.Extensions.Options (>= 1.1.2)
- Microsoft.NETCore.App (>= 1.0.5)
- Newtonsoft.Json (>= 10.0.2)

NuGet packages

This package is not used by any NuGet packages.

GitHub repositories

This package is not used by any popular GitHub repositories.

Version	Downloads	Last updated
5.0.0	33,774	11/26/2020
4.0.1	60,464	1/31/2020
3.1.0	2,364	11/2/2019
3.0.0	657	11/1/2019
2.4.1	756	10/31/2019
2.4.0	665	10/31/2019
2.3.3	4,127	6/13/2019
2.3.2	3,440	9/11/2018
2.3.1	995	9/8/2018
2.1.1	978	8/22/2018
2.1.0	1,473	8/18/2018
2.0.0	959	8/18/2018
1.0.4	30,797	6/8/2017
1.0.3	1,228	6/8/2017
1.0.3-beta007	850	5/31/2017
1.0.2	26,214	5/19/2017
1.0.1	4,020	5/16/2017
1.0.0	11,373	5/15/2017
1.0.0-beta002	894	5/15/2017
1.0.0-beta001	891	5/15/2017

* Remove reporting on transient vulnerabilities.
* Bugfix: Change to in-mem appSettings, as dotnet tools don't have access to NuGet content folder the same way as regular NuGets when they're run (path issues).