Add breaking change documentation for dotnet list package audit source warning

Co-authored-by: gewarren <[email protected]>

Author: Copilot

docs/core/compatibility/8.0.md

@@ -141,6 +141,7 @@ If you're migrating an app to .NET 8, the breaking changes listed here might aff
 | [Runtime-specific apps not self-contained](sdk/8.0/runtimespecific-app-default.md)             | Source/binary incompatible                       |
 | [--arch option doesn't imply self-contained](sdk/8.0/arch-option.md)                           | Behavioral change                                |
 | ['dotnet restore' produces security vulnerability warnings](sdk/8.0/dotnet-restore-audit.md)   | Behavioral change                                |
+| [New warning introduced in dotnet list package command](sdk/8.0/dotnet-list-package-audit-source-warning.md) | Behavioral change                                |
 | [SDK uses a smaller RID graph](sdk/8.0/rid-graph.md)                                           | Behavioral change/Source incompatible            |
 | [Setting DebugSymbols to false disables PDB generation](sdk/8.0/debugsymbols.md)               | Behavioral change                                |
 | [Source Link included in the .NET SDK](sdk/8.0/source-link.md)                                 | Source incompatible                              |

docs/core/compatibility/sdk/8.0/dotnet-list-package-audit-source-warning.md

@@ -0,0 +1,40 @@
+---
+title: "Breaking change: New warning introduced in dotnet list package command"
+description: "Learn about the breaking change in .NET 8 where dotnet list package --vulnerable emits a warning when audit sources don't support the VulnerabilityInfoResource."
+ms.date: 01/18/2025
+ai-usage: ai-assisted
+ms.custom: https://github.com/dotnet/docs/issues/42608
+---
+# New warning introduced in dotnet list package command
+
+When using `dotnet list package --vulnerable`, if a configured `auditsources` does not support the `VulnerabilityInfoResource`, a warning is now shown to inform the user that the source does not provide vulnerability data.
+
+## Version introduced
+
+.NET 8
+
+## Previous behavior
+
+The command would silently skip `auditsource`s that lacked vulnerability information, because the command did not use `auditsources` as a source of vulnerability data.
+
+## New behavior
+
+The command now emits a warning:
+**`Audit source '{0}' did not provide any vulnerability data.`**
+This helps users understand why certain sources may not influence the reported vulnerabilities.
+
+## Type of breaking change
+
+This is a [behavioral change](../../categories.md#behavioral-change).
+
+## Reason for change
+
+This warning came as part of the work to allow customers to use `auditsources` when running the `dotnet list package` command. The warning helps users understand when configured audit sources are not providing the expected vulnerability information.
+
+## Recommended action
+
+Check the specified `auditsources` to ensure it supports the `VulnerabilityInfoResource`. If it doesn't, either update the source or replace it with one that provides vulnerability data.
+
+## Affected APIs
+
+None.

docs/core/compatibility/toc.yml

@@ -484,6 +484,8 @@ items:
                 href: sdk/8.0/dotnet-publish-config.md
               - name: "'dotnet restore' produces security vulnerability warnings"
                 href: sdk/8.0/dotnet-restore-audit.md
+              - name: New warning introduced in dotnet list package command
+                href: sdk/8.0/dotnet-list-package-audit-source-warning.md
               - name: Duplicate output for -getItem, -getProperty, and -getTargetResult
                 href: sdk/8.0/getx-duplicate-output.md
               - name: Implicit `using` for System.Net.Http no longer added