How can I track down the source of a transitive dependency?

Asked 5/6, 2020 at 22:51 Answered 18/7, 2024 at 14:54

In a project/solution with lots of <PackageReference> dependencies, it can be difficult to find the source of a transitive dependency that's being pulled in. For example, no projects in my solution directly reference the package System.Data.SqlClient, but something is pulling it in transitively. Tracking that down "by hand" is virtually impossible in a large solution or project with lots of direct package references.

Is there any ready-made way (eg, a combination of .Net CLI commands) that, given a particular package, will find and reveal the source of the transitive reference? I use Rider, which has some awesome code navigation and "discovery"-type tools, but I can't find anything that helps with my goal.

Note: I also have VisualStudio if it has this capability built-in somewhere, I'd just need a pointer to where/how.

Kahaleel answered 5/6, 2020 at 22:51 Comment(0)

A custom tool called dotnet depends is great for viewing reverse dependencies.

Installation: dotnet tool install --global dotnet-depends
Usage: dotnet depends .\MyProject.csproj

NuGet 6.3 in Visual Studio also shows this if you hover over the transitive package.

Superadd answered 12/4, 2023 at 6:44 Comment(4)

Be aware that currently the Transitive Packages are only shown (and appear only in the search) if nuget version > 6.3 (Visual Studio 2022 17.3+) is used and nuget displays one Project (not the Project Solution / not within the multi Project Package View). – Chattel 6/2, 2024 at 11:17

I get "Unhandled exception. System.InvalidOperationException: Sequence contains no matching element" when I try to use this in my project. – Keeping 26/2, 2024 at 18:58

The part of "hover over transitive package" is the best answer!!! – Fourhanded 28/2, 2024 at 18:41

Saved my day! It's a pity that you need an external tool for that but this is finally what i needed. Thanks! – Ambivalence 24/4, 2024 at 5:38

Searching in VS did not work for me, at least not for a BCL package like System.Net.Http. What did work is looking in obj\project.assets.json, which lists all dependencies.

It's a manual process of searching for each package up the tree: find your target package under the "dependencies" node of another package, e.g.:

      "Some.Other.Package/1.0.0": {
        ...
        "dependencies": {
          ...
          "System.Net.Http": "4.3.4"
        }
      }

... then repeat for that package ("Some.Other.Package" in this example) until you get to one that is directly referenced.

There is code to automate this at https://github.com/jerriepelser-blog/AnalyzeDotNetProject but I have not tried it.

Tortuga answered 27/3, 2022 at 16:15 Comment(0)

The capability is built into the latest Visual Studio 2019.

With Visual Studio 2019, Update 6, I can see something like the following:

Note that you can also discover packages by searching in the solution explorer.

Unfortunately it's not available in the NuGet Package Manager installed view yet.

Wherefrom answered 5/6, 2020 at 23:14 Comment(7)

I tried that, but I don't think it's quite comprehensive because, for the specific package I'm trying to track down, it doesn't show any reference except in a project that isn't a dependency of the one I'm researching. – Kahaleel 5/6, 2020 at 23:33

I'm not following. How do you know that there's a reference to a package then? Note that packages can come in through project references too. – Wherefrom 6/6, 2020 at 2:35

I know because I can use classes from the package. And yes, I'm aware of project references bringing in transitive dependencies, too. That's part of what makes finding them so tricky. – Kahaleel 7/6, 2020 at 22:52

Can you look at your project.assets.json file? The SolutionExplorer looks at that as the source of truth. Happy to peek at it if you can share the content. Keep in mind it might contain some PII info in the form of PATs and package names. On the other hand, does search not help? – Wherefrom 8/6, 2020 at 23:9

Can't fathom why, but this list was incomplete, where dotnet depends was not. – Nariko 25/1, 2024 at 17:49

@Wherefrom - you know there's a reference to a package because, for example, some external scanner (e.g. Trivy) identifies it as a vulnerability. The problem here is not finding transitive dependencies in a single project, it's finding them in a solution that may have 10s of projects. – Fluorocarbon 29/2, 2024 at 15:44

I also have the same problem. I can manually go through the transitive package dependencies in Visual Studio, but i can't search for it, which is very tedious if you have a lot of dependencies which in turn have another bunch of dependencies. – Ambivalence 24/4, 2024 at 5:41

Since I had the same problem and didn't find anything working (on SO, google and my installed VS2022 Ultimate), I've create a powershell and python script.

The script uses the nuget-deps-tree - npm package to get a dependency tree and then traverses this tree to find the nuget.

See: https://github.com/Kraego/NailDownNuget

Interlope answered 13/1, 2023 at 13:7 Comment(0)

I have DependencyVisualizerTool that can show you the full dependency graph for a given project. For example, for a restore project, it can do the following:

Project(blue) App depending on project Lib (blue), and package with a Vulnerability Newtonsoft.Json 12.0.3. (white means package, red border means vulnerable)
It also shows, project Lib (blue) depending on a deprecated package Nuget.Core 2.14.0 (yellow)
Finally, it shows NuGet.Core depending on Microsoft.Web.XDT 2.1.0.

Wherefrom answered 26/1, 2024 at 2:1 Comment(3)

That output looks fantastic and super useful. I'm no longer working in .Net so I can't really accept the answer in good faith (I can't try it out), but this looks quite promising for future readers. – Kahaleel 26/1, 2024 at 14:24

I tried this and I couldn't figure out how to view the diagram.... is that something you have to have visual studio to view? – Retaliate 1/3, 2024 at 18:58

You need Visual Studio's DGML viewer yes. – Wherefrom 2/3, 2024 at 19:9

Not an ideal solution in many cases but just to mention it. Switching to paket dependency manager could help as well, especially for bigger projects. It has a command called paket why that quickly tells you for each package whether it's a top level, a direct or a transient dependency and additionally shows the dependency chain. See this blog post for some examples.

Demitria answered 21/10, 2022 at 9:31 Comment(0)

I know this question is old and has many answers, but I wanted to point out a natively available option in Visual Studio 2022:

If you use Manage NuGet Packages for Solution... this will not work. However, if you use Manage NuGet Packages... for a single project, you can simply search for the transitive dependency in the search box, and it will be shown under the "Transitive packages" section. What's more, if you hover over it, you'll see the dependency chain that leads to it:

Breakage answered 18/7, 2024 at 14:54 Comment(0)

Recommended topics

Hot tags