"dotnet list package --deprecated" should report unlisted packages

[cremor]

NuGet Product(s) Affected

dotnet.exe

Current Behavior

dotnet list package --deprecated only finds deprecated packages.

Desired Behavior

dotnet list package --deprecated should find deprecated and unlisted packages.

Additional Context

Your guide Best practices for a secure software supply chain says the following:

To protect the .NET package ecosystem when you are aware of a vulnerability in a package you have authored, do your best to deprecate and unlist the package [...]

But this guideline is not even followed by your own team as can be seen in the case #11883 (comment)

Also, as far as I know unlisting a package version has been possible for longer than deprecating has. So there might be many old packages out there which should not be used, but can't be found with the currently available commands.

Package consumers should have a way to figure out if they are using any unlisted packages.

An alternative would be a new dotnet list package --unlisted option. But in my opinion it is already annoying that --vulnerable and --deprecated can't be used at the same time, so I wouldn't want to execute a third command to find all "bad" packages.

[jeffkl]

Team Triage: We have concerns that implying that a user who unlisted a package wants us to represent it as deprecated would be bad. Now that users can explicitly deprecate a package, we'd prefer them to convey that themselves. But if the community feels like it's an okay inference that an unlisted package is considered deprecated, we can consider this feature.

[cremor]

@jeffkl Is there an alternative how #11883 (comment) can be handled/noticed?

[WGroenestein]

Can we please get unlisted package versions included in the --vulnerable flag. The MS guidance in case of a vulnerability is too unlist resulting in that developers are not notified when they rely on "dotnet list package --vulnerable --include-transitive" as suggested in this blog post