I am extraordinarily apologetic for resurrecting this, but it seemed more correct than creating a new, duplicate topic.
My organization has been and is in the process of making a large number of acquisitions. These companies have their own disparate systems and processes. However, a unifying aspect of the .NET companies is their use of the NuGet API and .NET SDK. Using these channels for deprecations and vulnerabilities via dotnet list package --vulnerable
and dotnet list package --outdated
is highly desirable. In no uncertain terms, dependencies distributed and shared by these teams are have few differences when compared with dependencies from NuGet.org. In fact, some dependencies shared amongst these teams are distributed via NuGet.org as public packages.
It is far more direct to use established standards which work with NuGet.org feeds, than to add an additional burden of knowledge. At the moment, the only recourse is to create a NuGet.org organization and change our distribution model.