From e502dd97c39b09f46cb9709009ce9f59a721273d Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Mon, 29 Sep 2025 17:10:06 +0000
Subject: [PATCH 1/5] Initial plan


From f5885d53d24ca028f81b14d7ce16ba83a6797236 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Mon, 29 Sep 2025 17:17:01 +0000
Subject: [PATCH 2/5] Add breaking change documentation for dotnet list package
 audit source warning

Co-authored-by: gewarren <24882762+gewarren@users.noreply.github.com>
---
 docs/core/compatibility/8.0.md                |  1 +
 ...otnet-list-package-audit-source-warning.md | 40 +++++++++++++++++++
 docs/core/compatibility/toc.yml               |  2 +
 3 files changed, 43 insertions(+)
 create mode 100644 docs/core/compatibility/sdk/8.0/dotnet-list-package-audit-source-warning.md

diff --git a/docs/core/compatibility/8.0.md b/docs/core/compatibility/8.0.md
index 6c56c864ba3aa..2e86c7d96f4f7 100644
--- a/docs/core/compatibility/8.0.md
+++ b/docs/core/compatibility/8.0.md
@@ -141,6 +141,7 @@ If you're migrating an app to .NET 8, the breaking changes listed here might aff
 | [Runtime-specific apps not self-contained](sdk/8.0/runtimespecific-app-default.md)             | Source/binary incompatible                       |
 | [--arch option doesn't imply self-contained](sdk/8.0/arch-option.md)                           | Behavioral change                                |
 | ['dotnet restore' produces security vulnerability warnings](sdk/8.0/dotnet-restore-audit.md)   | Behavioral change                                |
+| [New warning introduced in dotnet list package command](sdk/8.0/dotnet-list-package-audit-source-warning.md) | Behavioral change                                |
 | [SDK uses a smaller RID graph](sdk/8.0/rid-graph.md)                                           | Behavioral change/Source incompatible            |
 | [Setting DebugSymbols to false disables PDB generation](sdk/8.0/debugsymbols.md)               | Behavioral change                                |
 | [Source Link included in the .NET SDK](sdk/8.0/source-link.md)                                 | Source incompatible                              |
diff --git a/docs/core/compatibility/sdk/8.0/dotnet-list-package-audit-source-warning.md b/docs/core/compatibility/sdk/8.0/dotnet-list-package-audit-source-warning.md
new file mode 100644
index 0000000000000..c73295303a9e2
--- /dev/null
+++ b/docs/core/compatibility/sdk/8.0/dotnet-list-package-audit-source-warning.md
@@ -0,0 +1,40 @@
+---
+title: "Breaking change: New warning introduced in dotnet list package command"
+description: "Learn about the breaking change in .NET 8 where dotnet list package --vulnerable emits a warning when audit sources don't support the VulnerabilityInfoResource."
+ms.date: 01/18/2025
+ai-usage: ai-assisted
+ms.custom: https://github.com/dotnet/docs/issues/42608
+---
+# New warning introduced in dotnet list package command
+
+When using `dotnet list package --vulnerable`, if a configured `auditsources` does not support the `VulnerabilityInfoResource`, a warning is now shown to inform the user that the source does not provide vulnerability data.
+
+## Version introduced
+
+.NET 8
+
+## Previous behavior
+
+The command would silently skip `auditsource`s that lacked vulnerability information, because the command did not use `auditsources` as a source of vulnerability data.
+
+## New behavior
+
+The command now emits a warning:
+**`Audit source '{0}' did not provide any vulnerability data.`**
+This helps users understand why certain sources may not influence the reported vulnerabilities.
+
+## Type of breaking change
+
+This is a [behavioral change](../../categories.md#behavioral-change).
+
+## Reason for change
+
+This warning came as part of the work to allow customers to use `auditsources` when running the `dotnet list package` command. The warning helps users understand when configured audit sources are not providing the expected vulnerability information.
+
+## Recommended action
+
+Check the specified `auditsources` to ensure it supports the `VulnerabilityInfoResource`. If it doesn't, either update the source or replace it with one that provides vulnerability data.
+
+## Affected APIs
+
+None.
diff --git a/docs/core/compatibility/toc.yml b/docs/core/compatibility/toc.yml
index 33939a4065721..ecee0a44d3624 100644
--- a/docs/core/compatibility/toc.yml
+++ b/docs/core/compatibility/toc.yml
@@ -484,6 +484,8 @@ items:
                 href: sdk/8.0/dotnet-publish-config.md
               - name: "'dotnet restore' produces security vulnerability warnings"
                 href: sdk/8.0/dotnet-restore-audit.md
+              - name: New warning introduced in dotnet list package command
+                href: sdk/8.0/dotnet-list-package-audit-source-warning.md
               - name: Duplicate output for -getItem, -getProperty, and -getTargetResult
                 href: sdk/8.0/getx-duplicate-output.md
               - name: Implicit `using` for System.Net.Http no longer added

From f1bc7554b7c3ba44b15cc8d481d52fa801a2bdb2 Mon Sep 17 00:00:00 2001
From: Genevieve Warren <24882762+gewarren@users.noreply.github.com>
Date: Mon, 29 Sep 2025 16:49:23 -0700
Subject: [PATCH 3/5] human edits

---
 docs/core/compatibility/8.0.md                |  2 +-
 ...otnet-list-package-audit-source-warning.md | 24 ++++++++++---------
 docs/core/compatibility/toc.yml               |  2 +-
 3 files changed, 15 insertions(+), 13 deletions(-)

diff --git a/docs/core/compatibility/8.0.md b/docs/core/compatibility/8.0.md
index 2e86c7d96f4f7..5589d1c706834 100644
--- a/docs/core/compatibility/8.0.md
+++ b/docs/core/compatibility/8.0.md
@@ -141,7 +141,7 @@ If you're migrating an app to .NET 8, the breaking changes listed here might aff
 | [Runtime-specific apps not self-contained](sdk/8.0/runtimespecific-app-default.md)             | Source/binary incompatible                       |
 | [--arch option doesn't imply self-contained](sdk/8.0/arch-option.md)                           | Behavioral change                                |
 | ['dotnet restore' produces security vulnerability warnings](sdk/8.0/dotnet-restore-audit.md)   | Behavioral change                                |
-| [New warning introduced in dotnet list package command](sdk/8.0/dotnet-list-package-audit-source-warning.md) | Behavioral change                                |
+| ['dotnet list package' warns if source doesn't provide vulnerability data](sdk/8.0/dotnet-list-package-audit-source-warning.md) | Behavioral change                                |
 | [SDK uses a smaller RID graph](sdk/8.0/rid-graph.md)                                           | Behavioral change/Source incompatible            |
 | [Setting DebugSymbols to false disables PDB generation](sdk/8.0/debugsymbols.md)               | Behavioral change                                |
 | [Source Link included in the .NET SDK](sdk/8.0/source-link.md)                                 | Source incompatible                              |
diff --git a/docs/core/compatibility/sdk/8.0/dotnet-list-package-audit-source-warning.md b/docs/core/compatibility/sdk/8.0/dotnet-list-package-audit-source-warning.md
index c73295303a9e2..5fedd086c0321 100644
--- a/docs/core/compatibility/sdk/8.0/dotnet-list-package-audit-source-warning.md
+++ b/docs/core/compatibility/sdk/8.0/dotnet-list-package-audit-source-warning.md
@@ -1,13 +1,13 @@
 ---
-title: "Breaking change: New warning introduced in dotnet list package command"
-description: "Learn about the breaking change in .NET 8 where dotnet list package --vulnerable emits a warning when audit sources don't support the VulnerabilityInfoResource."
-ms.date: 01/18/2025
+title: "Breaking change: 'dotnet list package' warns if source doesn't provide vulnerability data"
+description: "Learn about the breaking change in .NET 8 where 'dotnet list package --vulnerable' emits a warning when audit sources don't support VulnerabilityInfoResource."
+ms.date: 09/29/2025
 ai-usage: ai-assisted
 ms.custom: https://github.com/dotnet/docs/issues/42608
 ---
-# New warning introduced in dotnet list package command
+# 'dotnet list package' warns if source doesn't provide vulnerability data
 
-When using `dotnet list package --vulnerable`, if a configured `auditsources` does not support the `VulnerabilityInfoResource`, a warning is now shown to inform the user that the source does not provide vulnerability data.
+When using `dotnet list package --vulnerable`, if a configured `auditsources` does not support `VulnerabilityInfoResource`, a warning is now shown to inform the user that the source doesn't provide vulnerability data.
 
 ## Version introduced
 
@@ -15,13 +15,15 @@ When using `dotnet list package --vulnerable`, if a configured `auditsources` do
 
 ## Previous behavior
 
-The command would silently skip `auditsource`s that lacked vulnerability information, because the command did not use `auditsources` as a source of vulnerability data.
+Previously, the command silently skipped `auditsource` sources that lacked vulnerability information.
 
 ## New behavior
 
-The command now emits a warning:
-**`Audit source '{0}' did not provide any vulnerability data.`**
-This helps users understand why certain sources may not influence the reported vulnerabilities.
+Starting in .NET 8, the command emits a warning:
+
+> Audit source '{0}' did not provide any vulnerability data.
+
+This warning helps users understand why certain sources may not influence the reported vulnerabilities.
 
 ## Type of breaking change
 
@@ -29,11 +31,11 @@ This is a [behavioral change](../../categories.md#behavioral-change).
 
 ## Reason for change
 
-This warning came as part of the work to allow customers to use `auditsources` when running the `dotnet list package` command. The warning helps users understand when configured audit sources are not providing the expected vulnerability information.
+This warning came as part of the work to allow customers to use `auditsources` when running the `dotnet list package` command. The warning helps users understand when configured audit sources don't provide the expected vulnerability information.
 
 ## Recommended action
 
-Check the specified `auditsources` to ensure it supports the `VulnerabilityInfoResource`. If it doesn't, either update the source or replace it with one that provides vulnerability data.
+Check the specified `auditsources` to ensure it supports `VulnerabilityInfoResource`. If it doesn't, either update the source or replace it with one that provides vulnerability data.
 
 ## Affected APIs
 
diff --git a/docs/core/compatibility/toc.yml b/docs/core/compatibility/toc.yml
index ecee0a44d3624..7014be6aa0351 100644
--- a/docs/core/compatibility/toc.yml
+++ b/docs/core/compatibility/toc.yml
@@ -484,7 +484,7 @@ items:
                 href: sdk/8.0/dotnet-publish-config.md
               - name: "'dotnet restore' produces security vulnerability warnings"
                 href: sdk/8.0/dotnet-restore-audit.md
-              - name: New warning introduced in dotnet list package command
+              - name: "'dotnet list package' warns if source doesn't provide vulnerability data"
                 href: sdk/8.0/dotnet-list-package-audit-source-warning.md
               - name: Duplicate output for -getItem, -getProperty, and -getTargetResult
                 href: sdk/8.0/getx-duplicate-output.md

From edfb1d14f139de089bc679f49a1def68290f7ad0 Mon Sep 17 00:00:00 2001
From: "Meaghan Osagie (Lewis)" <mosagie@microsoft.com>
Date: Tue, 30 Sep 2025 11:49:13 -0700
Subject: [PATCH 4/5] Update
 docs/core/compatibility/sdk/8.0/dotnet-list-package-audit-source-warning.md

---
 .../sdk/8.0/dotnet-list-package-audit-source-warning.md         | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/core/compatibility/sdk/8.0/dotnet-list-package-audit-source-warning.md b/docs/core/compatibility/sdk/8.0/dotnet-list-package-audit-source-warning.md
index 5fedd086c0321..c4e5375c1feff 100644
--- a/docs/core/compatibility/sdk/8.0/dotnet-list-package-audit-source-warning.md
+++ b/docs/core/compatibility/sdk/8.0/dotnet-list-package-audit-source-warning.md
@@ -23,7 +23,7 @@ Starting in .NET 8, the command emits a warning:
 
 > Audit source '{0}' did not provide any vulnerability data.
 
-This warning helps users understand why certain sources may not influence the reported vulnerabilities.
+This warning helps users understand why certain sources might not influence the reported vulnerabilities.
 
 ## Type of breaking change
 

From 05dae5b09d8a05a68407843a0231bc1ff830aaa1 Mon Sep 17 00:00:00 2001
From: "Meaghan Osagie (Lewis)" <mosagie@microsoft.com>
Date: Tue, 30 Sep 2025 11:50:29 -0700
Subject: [PATCH 5/5] Update
 docs/core/compatibility/sdk/8.0/dotnet-list-package-audit-source-warning.md

---
 .../sdk/8.0/dotnet-list-package-audit-source-warning.md         | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/core/compatibility/sdk/8.0/dotnet-list-package-audit-source-warning.md b/docs/core/compatibility/sdk/8.0/dotnet-list-package-audit-source-warning.md
index c4e5375c1feff..6bccfc72764ff 100644
--- a/docs/core/compatibility/sdk/8.0/dotnet-list-package-audit-source-warning.md
+++ b/docs/core/compatibility/sdk/8.0/dotnet-list-package-audit-source-warning.md
@@ -7,7 +7,7 @@ ms.custom: https://github.com/dotnet/docs/issues/42608
 ---
 # 'dotnet list package' warns if source doesn't provide vulnerability data
 
-When using `dotnet list package --vulnerable`, if a configured `auditsources` does not support `VulnerabilityInfoResource`, a warning is now shown to inform the user that the source doesn't provide vulnerability data.
+When using `dotnet list package --vulnerable`, if a configured `auditsources` doesn't support `VulnerabilityInfoResource`, a warning is now shown to inform the user that the source doesn't provide vulnerability data.
 
 ## Version introduced