NuGetAudit should not download vulnerabilities database when project does not use any packages #13073
Labels
Area:HttpCommunication
Area:NuGetAudit
Functionality:Restore
Priority:1
High priority issues that must be resolved in the current sprint.
Type:DCR
Design Change Request
Milestone
NuGet Product(s) Affected
NuGet.exe, MSBuild.exe, dotnet.exe
Current Behavior
As the title says, NuGetAudit download the vulnerabilities database, even when there are no packages to check.
The "easiest" way to validate is to open a CLI shell, set the environment variable
http_proxy
tohttp://localhost:12345/
(make sure there isn't a real HTTP proxy running on this port), then dodotnet new console
. Note, if you ran a restore more recently than 30 minutes ago, you might need to rundotnet nuget locals http-cache --clear
, to ensure that the cached vulnerabilities isn't used.Desired Behavior
The scenario described above should not fail. In other words, when there are no packages, NuGetAudit should "skip" itself, and avoid making HTTP requests.
Additional Context
No response
The text was updated successfully, but these errors were encountered: