Expand Audit to include diagnostic information about packages

[richlander]

At present, Audit is focused on CVEs in NuGet packages. It should be expanded more broadly. This will undoubtably need to be described in a spec.

Here's some ideas to report on:

• PackageRef lifts a package graph to a new major version
• PackageRef is to non-latest package
• PackageRef is to deprecated/unsupported packages
• PackageRef is to package that hasn't been updated in n months/years.
• TFM/target runtime is EOL
• TFM/target runtime doesn't support current OS

Tracking issues:

• Add End-of-Life (EOL) Status for NuGet Packages NuGet/Home#13598
• NuGet should report lifting from runtime-band to latest servicing for .NET packages NuGet/Home#14085
• NuGet CLI should provide a local dependabot-like experience NuGet/Home#14087
• Stale packages should be updated as deprecated monthly core#9714

[richlander]

@baronfel @aortiz-msft @OliaG @ericstj @eerhardt @DamianEdwards

[baronfel]

I've removed the NuGet area label because otherwise the bot will auto-close it.

[aortiz-msft]

@OliaG - These seem like separate feature requests. Would you please help prioritize based on current experience/data and opening new issues in NuGet/Home?

[baronfel]

@aortiz-msft @OliaG one key difference is that only some of the assets Rich mentions are tracked by NuGet/Audit infrastructure. It's sounds like @richlander is looking at expanding the scope of 'audit' as a concept.

[richlander]

Yes. This should be NOT opened in nuget/home. The goal is to make this an SDK feature.

[aortiz-msft]

NuGet is part of the SDK. We can keep this issue open here, but we will need items in our own repo for planning, etc.

[richlander]

I made tracking issues in NuGet home / linked to existing issues. We can now discuss the details on those issues.