From ceec92dd09373d27a03959a31c13f329753d8970 Mon Sep 17 00:00:00 2001
From: Jon Douglas <jodou@microsoft.com>
Date: Wed, 28 Aug 2024 14:07:39 -0500
Subject: [PATCH 1/2] Add transitive guidance

---
 docs/concepts/Auditing-Packages.md | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/docs/concepts/Auditing-Packages.md b/docs/concepts/Auditing-Packages.md
index c2e03d2e5..b524df01d 100644
--- a/docs/concepts/Auditing-Packages.md
+++ b/docs/concepts/Auditing-Packages.md
@@ -125,6 +125,15 @@ If security vulnerabilities are found and updates are available for the package,
 - Use the NuGet package manager user interface in Visual Studio to update the individual package.
 - Run the `dotnet add package` command with the respective package ID to update to the latest version.
 
+#### Transitive Packages
+
+If a known vulnerability exists in a top-level package's transitive dependencies, you have these options:
+
+- Add the fixed package version as a direct package reference. **Note:** Be sure to remove this reference when a new package version update becomes available.
+- Use [Central Package Management with the transitive pinning functionality](https://learn.microsoft.com/nuget/consume-packages/Central-Package-Management#transitive-pinning).
+- [Suppress the advisory](https://learn.microsoft.com/nuget/concepts/auditing-packages#excluding-advisories) until a package version update becomes available.
+- File an issue in the top-level package's tracker to request an update.
+
 ### Security vulnerabilities found with no updates
 
 In the case that a known vulnerability exists in a package without a security fix, you can do the following.

From 061cc2c092bb5c5ddca91c94a9d2f40adb62f93f Mon Sep 17 00:00:00 2001
From: Jon Douglas <jodou@microsoft.com>
Date: Wed, 11 Sep 2024 10:20:42 -0500
Subject: [PATCH 2/2] Update Auditing-Packages.md

---
 docs/concepts/Auditing-Packages.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/docs/concepts/Auditing-Packages.md b/docs/concepts/Auditing-Packages.md
index b524df01d..d05323ad8 100644
--- a/docs/concepts/Auditing-Packages.md
+++ b/docs/concepts/Auditing-Packages.md
@@ -129,9 +129,9 @@ If security vulnerabilities are found and updates are available for the package,
 
 If a known vulnerability exists in a top-level package's transitive dependencies, you have these options:
 
-- Add the fixed package version as a direct package reference. **Note:** Be sure to remove this reference when a new package version update becomes available.
+- Add the fixed package version as a direct package reference. **Note:** Be sure to remove this reference when a new package version update becomes available and be sure to maintain the defined attributes for the expected behavior.
 - Use [Central Package Management with the transitive pinning functionality](https://learn.microsoft.com/nuget/consume-packages/Central-Package-Management#transitive-pinning).
-- [Suppress the advisory](https://learn.microsoft.com/nuget/concepts/auditing-packages#excluding-advisories) until a package version update becomes available.
+- [Suppress the advisory](https://learn.microsoft.com/nuget/concepts/auditing-packages#excluding-advisories) until it can be addressed.
 - File an issue in the top-level package's tracker to request an update.
 
 ### Security vulnerabilities found with no updates