I'm working on updating packages on multiple projects to eliminate vulnerable nuget packages. We have been doing this on a recurring basis for some time, but I recently got a script built to do better searches across transitive dependencies in all projects under a given path. And... it's exposed quite a few more packages that need to be updated. The basic command I'm using to identify vulnerable packages is dotnet list package --vulnerable --include-transitive.