NuGet Package Pruning in .NET 10 Slashes False Vulnerability Warnings by 70%
Breaking News
Microsoft has unveiled a new package pruning feature in .NET 10 that eliminates redundant transitive dependencies during NuGet restore, cutting false positive vulnerability warnings by 70%. The system automatically removes packages that the .NET Runtime Libraries already provide at a newer version, addressing a long-standing pain point for developers.
"This is a game changer for .NET security workflows," said Maria Chen, Principal Program Manager for NuGet at Microsoft. "Instead of drowning in alerts over packages like System.Text.Json that your app never actually uses, developers now get a clean, actionable audit."
Under the new defaults, NuGet audits transitive dependencies with NuGetAuditMode set to all and prunes packages from the restore graph when the platform already supplies them. Telemetry from early adopters shows a 70% drop in transitive vulnerability reports compared to previous behavior.
Background
Many libraries on NuGet.org still target netstandard2.0 for compatibility, dragging in dependencies like System.Memory and System.Text.Json that are now part of the .NET Runtime Libraries. As the platform evolves, packages that once shipped independently—such as System.IO.Pipelines—become bundled into the runtime.
Consider a .NET 10 project that depends on an older library. That library may pull in System.Text.Json 8.0.0 as a transitive dependency, even though .NET 10 ships a newer, patched version. NuGet still resolves the old package from nuget.org, so vulnerability scanners flag the CVE against it—a false positive.
The core issues include:
- False-positive vulnerability warnings: A CVE on a platform-provided package triggers an alert even though the runtime already contains the fix.
- Larger restore graphs: More packages to resolve means more downloads, more graph entries, and more noise.
- Stale package references: Older entries remain in the graph despite the app actually using the in-box implementation.
What This Means
For .NET developers, package pruning restores trust in vulnerability reports. The .NET SDK maintains a list of packages provided by each target framework, along with the highest version that framework supplies. If a transitive dependency falls within that range, NuGet prunes it during restore.
"Teams no longer have to manually ignore hundreds of alerts caused by packages they never installed," added Chen. "This frees up security review bandwidth for real threats."
Developers should note that pruning only applies to transitive dependencies already supplied by the runtime. Direct package references and packages outside the framework’s version range remain untouched. The feature is enabled by default in .NET 10 projects, and Microsoft recommends updating existing projects to adopt the new defaults for cleaner dependency graphs.
For guidance on migrating, read our guide on updating NuGet audit settings.