NuGet
diff --git a/‎src/NuGet.Core/NuGet.CommandLine.XPlat/Commands/Package/Update/IPackageUpdateIO.cs‎
Lines changed: 5 additions & 1 deletion b/‎src/NuGet.Core/NuGet.CommandLine.XPlat/Commands/Package/Update/IPackageUpdateIO.cs‎
Lines changed: 5 additions & 1 deletion
diff --git a/‎src/NuGet.Core/NuGet.CommandLine.XPlat/Commands/Package/Update/IVersionChooser.cs‎
Lines changed: 9 additions & 0 deletions b/‎src/NuGet.Core/NuGet.CommandLine.XPlat/Commands/Package/Update/IVersionChooser.cs‎
Lines changed: 9 additions & 0 deletions
diff --git a/‎src/NuGet.Core/NuGet.CommandLine.XPlat/Commands/Package/Update/Package.cs‎
Lines changed: 31 additions & 1 deletion b/‎src/NuGet.Core/NuGet.CommandLine.XPlat/Commands/Package/Update/Package.cs‎
Lines changed: 31 additions & 1 deletion
diff --git a/‎src/NuGet.Core/NuGet.CommandLine.XPlat/Commands/Package/Update/PackageUpdateArgs.cs‎
Lines changed: 3 additions & 1 deletion b/‎src/NuGet.Core/NuGet.CommandLine.XPlat/Commands/Package/Update/PackageUpdateArgs.cs‎
Lines changed: 3 additions & 1 deletion
diff --git a/‎src/NuGet.Core/NuGet.CommandLine.XPlat/Commands/Package/Update/PackageUpdateCommand.cs‎
Lines changed: 6 additions & 0 deletions b/‎src/NuGet.Core/NuGet.CommandLine.XPlat/Commands/Package/Update/PackageUpdateCommand.cs‎
Lines changed: 6 additions & 0 deletions
@@ -1,6 +1,8 @@
 // Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
+#nullable enable
+
 using System.Collections.Generic;
 using System.Threading;
 using System.Threading.Tasks;
@@ -22,7 +24,7 @@ internal interface IPackageUpdateIO
     /// </summary>
     /// <param name="project">The project or solution requested.</param>
     /// <returns>A DependencyGraphSpec representing the restore inputs.</returns>
-    DependencyGraphSpec GetDependencyGraphSpec(string project);
+    DependencyGraphSpec? GetDependencyGraphSpec(string project);
 
     /// <summary>
     /// Loads settings from the specified project directory.
@@ -74,5 +76,7 @@ internal abstract class RestoreResult
         /// Was the preview restore operation successful
         /// </summary>
         public abstract bool Success { get; }
+
+        public abstract LockFile? AssetsFile { get; }
     }
 }
@@ -3,9 +3,11 @@
 
 #nullable enable
 
+using System.Collections.Generic;
 using System.Threading;
 using System.Threading.Tasks;
 using NuGet.Common;
+using NuGet.Protocol.Model;
 using NuGet.Versioning;
 
 namespace NuGet.CommandLine.XPlat.Commands.Package.Update
@@ -16,5 +18,12 @@ internal interface IVersionChooser
             string packageId,
             ILogger logger,
             CancellationToken cancellationToken);
+
+        Task<NuGetVersion?> GetNonVulnerableAsync(
+            string packageId,
+            NuGetVersion minVersion,
+            ILogger logger,
+            IReadOnlyList<IReadOnlyDictionary<string, IReadOnlyList<PackageVulnerabilityInfo>>> knownVulnerabilities,
+            CancellationToken cancellationToken);
     }
 }
@@ -3,13 +3,15 @@
 
 #nullable enable
 
+using System;
 using System.Collections.Generic;
 using System.CommandLine.Parsing;
+using System.Diagnostics.CodeAnalysis;
 using NuGet.Versioning;
 
 namespace NuGet.CommandLine.XPlat.Commands.Package.Update
 {
-    internal record Package
+    internal record Package : IEqualityComparer<Package>
     {
         public required string Id { get; init; }
         public required VersionRange? VersionRange { get; init; }
@@ -59,5 +61,33 @@ internal static IReadOnlyList<Package> Parse(ArgumentResult result)
 
             return packages;
         }
+
+        public bool Equals(Package? x, Package? y)
+        {
+            if (ReferenceEquals(x, y))
+            {
+                return true;
+            }
+
+            if (x is null || y is null)
+            {
+                return false;
+            }
+
+            if (!x.Id.Equals(y.Id, StringComparison.OrdinalIgnoreCase))
+            {
+                return false;
+            }
+
+            return VersionRangeComparer.Default.Equals(x.VersionRange, y.VersionRange);
+        }
+
+        public int GetHashCode([DisallowNull] Package obj)
+        {
+            HashCode hash = new HashCode();
+            hash.Add(obj.Id, StringComparer.OrdinalIgnoreCase);
+            hash.Add(obj.VersionRange);
+            return hash.ToHashCode();
+        }
     }
 }
@@ -8,7 +8,7 @@
 
 namespace NuGet.CommandLine.XPlat.Commands.Package.Update
 {
-    internal class PackageUpdateArgs
+    internal record PackageUpdateArgs
     {
         public required string Project { get; init; }
 
@@ -17,5 +17,7 @@ internal class PackageUpdateArgs
         public required bool Interactive { get; init; }
 
         public required LogLevel LogLevel { get; init; }
+
+        public required bool Vulnerable { get; init; }
     }
 }
@@ -36,6 +36,10 @@ internal static void Register(Command packageCommand, Option<bool> interactiveOp
         projectOption.Description = Strings.PackageUpdateCommand_ProjectOptionDescription;
         command.Options.Add(projectOption);
 
+        var vulnerableOption = new Option<bool>("--vulnerable");
+        vulnerableOption.Description = Strings.PackageUpdateCommand_VulnerableOptionDescription;
+        command.Options.Add(vulnerableOption);
+
         command.Options.Add(interactiveOption);
 
         var verbosityOption = CommonOptions.GetVerbosityOption();
@@ -49,13 +53,15 @@ internal static void Register(Command packageCommand, Option<bool> interactiveOp
             bool interactive = args.GetValue(interactiveOption);
             VerbosityEnum verbosity = args.GetValue(verbosityOption) ?? VerbosityEnum.normal;
             LogLevel logLevel = verbosity.ToLogLevel();
+            bool vulnerable = args.GetValue(vulnerableOption);
 
             var commandArgs = new PackageUpdateArgs
             {
                 Project = project?.FullName ?? Environment.CurrentDirectory,
                 Packages = packages,
                 Interactive = interactive,
                 LogLevel = logLevel,
+                Vulnerable = vulnerable,
             };
 
             return await action(commandArgs, cancellationToken);
Original file line number	Diff line number	Diff line change
`@@ -8,7 +8,7 @@`
`8`	`8`
`9`	`9`	`namespace NuGet.CommandLine.XPlat.Commands.Package.Update`
`10`	`10`	`{`
`11`		`- internal class PackageUpdateArgs`
	`11`	`+ internal record PackageUpdateArgs`
`12`	`12`	`{`
`13`	`13`	`public required string Project { get; init; }`
`14`	`14`
`@@ -17,5 +17,7 @@ internal class PackageUpdateArgs`
`17`	`17`	`public required bool Interactive { get; init; }`
`18`	`18`
`19`	`19`	`public required LogLevel LogLevel { get; init; }`
	`20`	`+`
	`21`	`+ public required bool Vulnerable { get; init; }`
`20`	`22`	`}`
`21`	`23`	`}`