| name | nuget-fetcher |
| description | Fetch NuGet package metadata, versions, vulnerabilities, compat matrix, and deprecation status. Supports dotnet list package and NuGet.org v3 API. |
| argument-hint | <package name> [--version <v>] |
| effort | low |
nuget-fetcher
Retrieve concrete NuGet package facts — no hallucinated versions or
APIs.
Primary Commands
dotnet list package
dotnet list package --outdated
dotnet list package --vulnerable --include-transitive
dotnet list package --deprecated
curl -s "https://api.nuget.org/v3/registration5-semver1/<id>/index.json"
curl -s "https://api.nuget.org/v3/index.json"
curl -s "https://api.nuget.org/v3/catalog0/index.json"
What to Retrieve
Per package:
- Latest stable version + pre-release if diverged
- Publish date of latest version
- Supported target frameworks (from .nuspec)
- Dependencies (direct only — deep trees are noise)
- License + license expression
- Repository URL + last-commit signal
- Known CVEs (via
--vulnerable or GitHub Advisory)
- Deprecation status
Flow
- Normalize package id (case-insensitive on NuGet.org)
- Query NuGet.org registration endpoint OR use
dotnet list package inside the project
- Extract version, frameworks, deps, license
- Cross-check CVE via
dotnet list package --vulnerable
- Output compact summary — not raw JSON
Iron Laws
- Never fabricate a version number
- Verify the package id exactly (typosquatting risk)
- Flag
--vulnerable matches as security-critical
- Prefer official MS-owned packages when equivalent community package
is unmaintained
Output Template
# Polly — NuGet metadata
| Field | Value |
|-------|-------|
| Latest | 8.4.0 (stable) |
| Published | 2026-03-20 |
| Target frameworks | net6.0, net8.0, net9.0 |
| License | BSD-3-Clause |
| Repository | github.com/App-vNext/Polly |
| Vulnerabilities | none |
| Deprecated | no |
## Direct deps (latest)
- Microsoft.Bcl.AsyncInterfaces ≥ 6.0.0
## Notable
- v8 is a major rewrite with breaking API changes from v7
- `Microsoft.Extensions.Http.Resilience` wraps Polly for HttpClient
Integration
Used by:
nuget-researcher agent (library evaluation)
/dotnet:research --library skill
/dotnet:plan when evaluating deps
audit / techdebt skills
References
${CLAUDE_SKILL_DIR}/references/nuget-api.md — v3 endpoints,
registration, flat container, search
${CLAUDE_SKILL_DIR}/references/vuln-sources.md — GHSA, NuGet
advisories, --vulnerable limits
${CLAUDE_SKILL_DIR}/references/framework-monikers.md — TFM
compatibility reference
Anti-patterns
- Returning raw JSON — users want the summary
- Ignoring
--vulnerable results
- Not distinguishing stable from pre-release when user asked for
stable
- Recommending a package without verifying its id exactly