Skip to main content

Dotnet Nuget Why, your new best friend to troubleshoot transitive dependencies issues

·2 mins·
Dotnet
Massimiliano Donini
Author
Massimiliano Donini
🚀 Freelance Cloud Architect | Based in The Netherlands 🇳🇱 | Ready to collaborate on cutting-edge Azure & .NET projects! 💡 Let’s talk Azure, .NET, EF Core, ASP.NET Core, Terraform, GitHub, and CI/CD automation. Got a question or an exciting project? Let’s connect! 🔥
Table of Contents

Recently, a new dotnet CLI command was introduced without too much fanfare, so I thought it was worth writing a few lines about it. This new command is very useful to debug transient dependency issues, the command is dotnet nuget why and it helps figure out why a transitive package is referenced.

This command is available starting with .NET SDK version 8.0.4xx, so ensure you have at least that version installed. If not, you can download it here.

Tip

You can access the command’s documentation on the Microsoft website

You can verify if you have a compatible SDK using the following commands:

dotnet --info

The output of this command will display, among other details, all the installed dotnet SDKs on the machine along with their respective versions

or

dotnet --list-sdks

Usage
#

The command usage looks like the following:

dotnet nuget why <PROJECT|SOLUTION> <PACKAGE> [-f|--framework <FRAMEWORK>]

The output looks is similar to what you can see here below:

dotnet nuget why ConsoleApplication.sln System.Collections.Immutable
Project 'ConsoleApplication' has the following dependency graph(s) for 'System.Collections.Immutable':

  [net8.0]
   │
   └─ BenchmarkDotNet (v0.13.12)
      ├─ Microsoft.CodeAnalysis.CSharp (v4.1.0)
      │  └─ Microsoft.CodeAnalysis.Common (v4.1.0)
      │     └─ System.Collections.Immutable (v5.0.0)
      └─ Microsoft.Diagnostics.Runtime (v2.2.332302)
         └─ System.Collections.Immutable (v5.0.0)

If the project under analysis targets multiple frameworks, there’s an option to specify which framework to look at using the -f flag as shown below:

dotnet nuget why ConsoleApplication.sln System.Collections.Immutable -f net6.0
Project 'ConsoleApplication' has the following dependency graph(s) for 'System.Collections.Immutable':

  [net6.0]
   │
   └─ BenchmarkDotNet (v0.13.12)
      ├─ Microsoft.CodeAnalysis.CSharp (v4.1.0)
      │  └─ Microsoft.CodeAnalysis.Common (v4.1.0)
      │     └─ System.Collections.Immutable (v5.0.0)
      └─ Microsoft.Diagnostics.Runtime (v2.2.332302)
         └─ System.Collections.Immutable (v5.0.0)

Inspect transitive vulnerabilities
#

This tool becomes very useful especially when there’s a vulnerable transitive dependency to investigate.

It would be useful to have a flag that shows all vulnerable packages in a given project, but that’s not currently available. However, you can achieve this with a bit of Linux shell gynmastics as follows:

dotnet list package --vulnerable --include-transitive --format json | grep id | cut -d':' -f2 | sed 's/"\(.*\)".*/\1/' | xargs -I {} dotnet nuget why <project name> {}

That’s it for today, I hope you find this useful, till the next time!