Have you ever run a vulnerability scan on your .NET project only to be flooded with warnings about packages you never directly added? If so, you're not alone. Those warnings often point to transitive dependencies—packages pulled in by libraries you do use—that are mistakenly flagged despite being already superseded by the .NET runtime itself. Enter NuGet package pruning, a game‑changing feature in .NET 10 that automatically strips out these redundant references. The result? A cleaner dependency graph and a staggering 70% reduction in false‑positive vulnerability reports. In this article, we'll walk through six key ways this feature works and why it matters for your next project.
1. The Hidden Problem: Transitive Dependencies Triggering False Positives
When you install a NuGet package, it often brings along its own dependencies—these are transitive dependencies. Historically, many of these transitive packages (like System.Text.Json or System.Memory) are already built into the .NET runtime libraries. Yet, because the older version on nuget.org still exists, vulnerability scanners see it in your restore graph and raise alarm. This is a classic false positive: the runtime provides a newer, patched version, but the stale package entry remains. Package pruning eliminates this waste by removing those packages from the graph entirely.
2. Why .NET Runtime Libraries Already Cover Many Packages
Over the years, the .NET platform has absorbed many libraries that once shipped as separate NuGet packages. For instance, System.Text.Encodings.Web and System.IO.Pipelines are now part of the runtime. Libraries targeting netstandard2.0 for maximum compatibility often still reference older versions of these packages, even when you're building on a modern framework that includes them. This legacy behavior clogs your dependency graph with unnecessary entries. Pruning knows exactly which packages and versions are provided by each target framework (e.g., net8.0 supplies System.Text.Json 8.0.x), so it can safely remove those that are redundant.
3. How Package Pruning Removes Redundant Transitive References at Restore
The magic happens during the NuGet restore phase. The .NET SDK maintains a mapping of platform‑supplied packages to the highest version available for each target framework. When a transitive dependency falls within that version range, the pruning engine simply excludes it from the resolved graph. This is not a post‑processing step—it's integrated directly into the resolution logic. The package is never downloaded, never added to your lock file, and never appears in the final dependency list. Important: if a direct or transitive dependency requests a higher version than what the runtime provides (e.g., System.Text.Json 9.0.0 targeting net8.0), pruning does not apply, ensuring you still get the version you need.
4. The Impact: 70% Fewer Transitive Vulnerability Reports
Telemetry from projects that adopted the NuGetAuditMode = all default (which enables pruning) shows a dramatic reduction in noise. Compared to projects using previous defaults, these projects experience 70% fewer transitive vulnerability warnings. That translates directly to less time spent triaging false alarms and a clearer picture of actual risks. By eliminating packages that the runtime already patches, pruning lets you focus on vulnerabilities that really matter—those in packages not covered by the platform.
5. A Real‑World Example: System.Text.Json in .NET 10
Imagine you're building a .NET 10 application that uses a library originally designed for netstandard2.0. That library depends on System.Text.Json 8.0.0. Without pruning, the restore graph includes this version—even though .NET 10 ships with a newer, secure version. When a CVE is published for System.Text.Json 8.0.0, your build lights up with a warning. But with pruning enabled, NuGet sees that .NET 10 already provides System.Text.Json 10.0.x, and the transitive reference to version 8.0.0 is removed. Result: no false positive, no distraction.
6. Additional Benefits: Cleaner Graphs, Fewer Stale References, Less Noise
Beyond cutting false vulnerabilities, pruning delivers three concrete improvements to your daily workflow:
- Smaller restore graphs: Fewer packages to resolve means faster restores, smaller lock files, and simpler dependency trees.
- Reduced downloads: You no longer pull down packages that the runtime already supplies, saving bandwidth and build time.
- Clearer dependency reality: Stale entries from old transitive references vanish, so what you see in your dependency graph is exactly what your app uses at runtime.
In short, package pruning makes NuGet audits actionable and your projects leaner. It's a silent cleanup that keeps your attention on what truly matters.
Ready to see it in action? Update your .NET 10 project and enable the new defaults—your future self (and your security team) will thank you.