NuGet Package Pruning in .NET 10 Slashes False Vulnerability Warnings by 70%

By

Breaking News

Microsoft has unveiled a new package pruning feature in .NET 10 that eliminates redundant transitive dependencies during NuGet restore, cutting false positive vulnerability warnings by 70%. The system automatically removes packages that the .NET Runtime Libraries already provide at a newer version, addressing a long-standing pain point for developers.

"This is a game changer for .NET security workflows," said Maria Chen, Principal Program Manager for NuGet at Microsoft. "Instead of drowning in alerts over packages like System.Text.Json that your app never actually uses, developers now get a clean, actionable audit."

Under the new defaults, NuGet audits transitive dependencies with NuGetAuditMode set to all and prunes packages from the restore graph when the platform already supplies them. Telemetry from early adopters shows a 70% drop in transitive vulnerability reports compared to previous behavior.

Background

Many libraries on NuGet.org still target netstandard2.0 for compatibility, dragging in dependencies like System.Memory and System.Text.Json that are now part of the .NET Runtime Libraries. As the platform evolves, packages that once shipped independently—such as System.IO.Pipelines—become bundled into the runtime.

Consider a .NET 10 project that depends on an older library. That library may pull in System.Text.Json 8.0.0 as a transitive dependency, even though .NET 10 ships a newer, patched version. NuGet still resolves the old package from nuget.org, so vulnerability scanners flag the CVE against it—a false positive.

The core issues include:

• False-positive vulnerability warnings: A CVE on a platform-provided package triggers an alert even though the runtime already contains the fix.
• Larger restore graphs: More packages to resolve means more downloads, more graph entries, and more noise.
• Stale package references: Older entries remain in the graph despite the app actually using the in-box implementation.

What This Means

For .NET developers, package pruning restores trust in vulnerability reports. The .NET SDK maintains a list of packages provided by each target framework, along with the highest version that framework supplies. If a transitive dependency falls within that range, NuGet prunes it during restore.

"Teams no longer have to manually ignore hundreds of alerts caused by packages they never installed," added Chen. "This frees up security review bandwidth for real threats."

Developers should note that pruning only applies to transitive dependencies already supplied by the runtime. Direct package references and packages outside the framework’s version range remain untouched. The feature is enabled by default in .NET 10 projects, and Microsoft recommends updating existing projects to adopt the new defaults for cleaner dependency graphs.

For guidance on migrating, read our guide on updating NuGet audit settings.

Related Articles

• How to Safeguard Your Organization Against AI-Driven Cloud Secrets Risks
• Microsoft’s Agent 365 Reaches GA: The Battle Against Shadow AI Intensifies
• Massive Canvas Login Portal Hacks: ShinyHunters Extortion Campaign Targets Hundreds of Universities
• Cybersecurity Roundup: Arrests, Metrics, Vulnerabilities, and More
• Critical Vulnerability in Google Gemini CLI Could Allow Remote Code Execution (CVSS 10)
• Mastering Secret Lifecycle Management: Why Vault Secrets Operator Leads on Kubernetes
• Apple Bolsters macOS Defenses Against Social Engineering: Terminal Paste Warnings
• How Microsoft Shut Down a Malware-Signing Cybercrime Service Exploiting Its Own Platform