How to Clean Up Dependencies and Reduce False Vulnerabilities Using NuGet Package Pruning in .NET 10

Introduction

If you've ever run NuGet Audit or a vulnerability scanner on a .NET project, you've probably seen warnings for packages you never directly installed—especially transitive dependencies like System.Text.Json or System.Text.Encodings.Web. In many cases these packages are already provided by the .NET Runtime Libraries at a newer version, making the warning a false positive. With .NET 10, NuGet automatically prunes such packages from the restore graph when the runtime already supplies them, resulting in up to 70% fewer transitive vulnerability reports. This guide walks you through understanding, enabling, and verifying package pruning so you get cleaner dependencies and actionable vulnerability reports.

What You Need

• .NET 10 SDK (or later) installed. Package pruning is a default feature in .NET 10.
• An existing .NET project that targets .NET 10 or later (e.g., net10.0).
• Familiarity with the dotnet CLI.
• Optionally, a vulnerability scanner or NuGet Audit enabled (default in .NET 10).

Step-by-Step Guide

Step 1: Understand the Problem – False Positives from Transitive Packages

Many libraries on nuget.org target netstandard2.0 for broad compatibility and still carry dependencies on packages like System.Memory or System.Text.Json—packages now part of the .NET Runtime Libraries. When you reference such a library, NuGet resolves a transitive dependency from NuGet.org, even though the runtime already provides a newer version. This leads to:

• False-positive vulnerability warnings when a CVE is published against the NuGet version.
• Larger restore graphs with more downloads and noise.
• Stale package references cluttering your dependency tree.

Package pruning removes these redundant packages during restore, making your graph smaller and your vulnerability reports relevant.

Step 2: Verify Your .NET Version

Ensure your project uses .NET 10 or later. Run dotnet --version in your terminal. If below 10.0, update the SDK. For existing projects, change the TargetFramework in your .csproj to net10.0 (or net10.0-windows, etc.).

Step 3: Enable NuGet Audit for All Dependencies (Default in .NET 10)

Package pruning works hand-in-hand with NuGet Audit. In .NET 10, the default audit mode scans transitive dependencies. To confirm or enable it, add or check the following property in your .csproj:

<PropertyGroup>
  <NuGetAuditMode>all</NuGetAuditMode>
</PropertyGroup>

If you have an older project, this ensures all transitive packages are audited. The pruning will automatically exclude those supplied by the runtime.

Step 4: Observe Package Pruning During Restore

Run dotnet restore with the --verbosity detailed flag to see pruning in action:

dotnet restore --verbosity detailed

Look for log lines like "Package 'System.Text.Json' version 8.0.0 pruned because it is provided by the runtime." The .NET SDK includes a list of platform-provided packages per target framework and prunes any transitive dependency whose version falls within that range (e.g., System.Text.Json 8.0.x on .NET 8, 9.0.x on .NET 9, etc.).

Step 5: Interpret Vulnerability Reports After Pruning

After restore, run NuGet Audit again:

dotnet list package --vulnerable

You should see fewer warnings—only packages that are actually used and not provided by the runtime. For example, if you previously saw a CVE for System.Text.Json 8.0.0 and your project targets .NET 10, that warning will disappear because the package is pruned and the runtime uses 10.x. This makes the vulnerability report actionable.

Step 6: Confirm Pruning Effect on Dependency Graph

Compare the dependency graph before and after enabling pruning. Run:

dotnet list package --include-transitive

In a pruned project, you'll notice that packages like System.Text.Json, System.Text.Encodings.Web, System.IO.Pipelines (if within runtime range) no longer appear as resolved transitive dependencies. This confirms cleanup.

Step 7: Update Projects Still Using Older .NET Versions

Package pruning is a .NET 10 feature. If you have projects on older frameworks (e.g., .NET 8), pruning does not apply. For those projects, consider:

• Upgrading to .NET 10 to benefit from automatic pruning.
• Manually removing obsolete package references by using PackageReference with exact versions or using Central Package Management.
• Using NuGetAuditMode to at least audit all dependencies, but false positives will remain.

This step ensures consistency across your solution.

Tips and Best Practices

• Understand the pruning list: The .NET SDK defines which packages are provided by each framework. You don't need to manage it yourself, but being aware helps when you see unexpected pruning.
• Use Central Package Management (CPM): For large solutions, CPM combined with pruning keeps version consistency and reduces duplication.
• Check for edge cases: If a transitive dependency version is outside the runtime's supplied range (e.g., System.Text.Json 9.0.0 when targeting .NET 8), it will not be pruned. That might be intentional if you need a newer API.
• Monitor restore logs: Detailed restore logs are your friend—they show exactly what was pruned and why.
• Combine with vulnerability scanning tools: Tools like GitHub Dependabot or WhiteSource will also see a cleaner graph, reducing noise in alerts.

By following these steps, you'll reduce transitive dependency noise, eliminate false vulnerability warnings, and keep your .NET 10 projects lean. Package pruning is automatic, but understanding how it works ensures you can trust your vulnerability reports.