dotnet list package returns error if solution includes a docker-compose project

[JD-Robertson]

My organization has a pipeline step that lists vulnerable packages for our ASP.NET Core soutions using:

dotnet list <soution>.sln package --vulnerable --include-transitive

After updating our toolchain from dotnet 6 to dotnet 7, this command now returns a non-zero error code for all of our projects even if no vulnerable packages are found. We get an error message:

The project <path>\docker-compose.dcproj uses package.config for NuGet packages, while the command works only with package reference projects.`

Which seems to be the source of the error. It's very easy to reproduce this without any custom code.

1. In Visual Studio 2022, create a new ASP.NET Core Web API project. Include Docker support.
2. A new solution will be created. Right-click on the WebApplication1 project in Solution Explorer and select Add > Container Orchestrator Support. Choose the Docker Compose option. This will create a new docker-compose.csproj file.
3. Open a PowerShell prompt and run dotnet list <soution>.sln package. No need to even check for vulnerabilities.
4. Check $LASTEXITCODE and see that it is 1.

We have been forced to disable this check due to this behavior. I found an old issue: #131

Which suggests a possible workaround of defining the RestoreProjectStyle setting in the problem project. But the workaround is not valid for the docker-compose project, which does not have NuGet dependencies.

[jeffkl]

@JD-Robertson this functionality is owned by the NuGet team. This might be a duplicate of NuGet/Home#12479 for the exit code changing in NuGet/NuGet.Client#4855