`dotnet package update --vulnerable` should work without having NuGetAudit enabled during restore

[zivkan]

NuGet Product(s) Affected

dotnet.exe

Current Behavior

The initial implementation of dotnet package update --vulnerable works by looking at restore warnings and fixing the NU1901-4 warnings. This means that if your project or repo doesn't have NuGetAudit enabled, then command will think that there are no packages with known vulnerabilities.

Desired Behavior

The command should find vulnerable packages without restore. If the project has audit disabled, there should also be an option to choose whether the command upgrades only direct package references, or also transitive packages.

Additional Context

I'm sure some customers will want an --audit-source option so they don't need to add nuget.org as either a package source or audit source in their nuget.config file. I'd love to get some feedback from customers who are in this situation, to understand why putting nuget.org in the nuget.config as an audit source is not an option. If audit warnings are not wanted during restore, then disabling NuGetAudit completely will prevent the restore warnings, but will still allow nuget.org as an audit source in nuget.config for package update to use.