NuGet Dependency Graph
A Visual Studio Code extension that visualizes NuGet package dependencies and vulnerabilities in an interactive 3D graph.
Features
Interactive 3D Graph
Packages are rendered as 3D spheres in a force-directed layout with a namespace-hub topology:
- Project root (gold sphere) — your
.csproj at the center
- Namespace hubs (colored spheres) — one hub per package vendor prefix (Azure, Microsoft, Serilog, etc.) when 2+ packages share a prefix
- Package spheres — each NuGet package, clustered around its namespace hub
- Singleton packages — packages with a unique prefix link directly to the root
Link labels show the resolved package version. Hover over a node to highlight its connections; click to view details in the info panel.
Visualization Modes
| Mode |
Description |
| Dependencies |
All packages color-coded by namespace family |
| Vulnerabilities |
Packages colored by highest severity (Critical=dark red, High=orange, Moderate=yellow, Low=gold) |
| Full Graph |
Complete dependency tree including transitive packages |
Security Scanning
- Runs
dotnet list package --vulnerable via the .NET CLI
- Color-coded by severity: Critical, High, Moderate, Low
- Click a vulnerable package node to see advisory links
Offline Support
- All 3D rendering libraries are bundled locally — no CDN requests
- Vulnerability scan results are cached to disk for faster subsequent runs
- Falls back to
.csproj XML parsing when the .NET CLI is unavailable
Getting Started
Prerequisites
- Visual Studio Code 1.74.0 or higher
- A
.csproj project with NuGet <PackageReference> entries
- .NET SDK (recommended; required for vulnerability scanning)
Usage
Right-click any .csproj file in the Explorer or editor tab and select:
- Visualize NuGet Dependencies
- Visualize NuGet Vulnerabilities
- Visualize Full NuGet Dependency Graph
Command Palette (Ctrl+Shift+P)
NuGet Graph: Visualize NuGet DependenciesNuGet Graph: Visualize NuGet VulnerabilitiesNuGet Graph: Visualize Full NuGet Dependency Graph
Interactive Controls
| Control |
Action |
| Left-click + drag |
Rotate the graph |
| Scroll wheel |
Zoom in / out |
| Click a node |
Select and show details |
| Hover a node |
Highlight connected nodes and links |
| Zoom to Fit |
Frame all nodes in view |
| Center View |
Reset camera to origin |
| Reset Physics |
Restart the force simulation |
| Toggle Physics |
Freeze / unfreeze the simulation |
Graph Structure
For a project with packages from multiple vendors, the graph looks like:
project-root (gold)
├── ns::Azure (blue hub)
│ ├── Azure.Extensions.AspNetCore.Configuration.Secrets@1.3.2
│ └── Azure.Identity@1.13.2
├── ns::Microsoft (light-blue hub)
│ ├── Microsoft.EntityFrameworkCore@9.0.0
│ └── Microsoft.Extensions.Hosting@9.0.0
├── ns::Serilog (green hub)
│ ├── Serilog@4.2.0
│ └── Serilog.Sinks.Console@6.0.0
└── MongoDB.Driver@3.1.0 (singleton, no hub)
Troubleshooting
"No .NET SDK found"
Install the .NET SDK from https://dotnet.microsoft.com/download and restart VS Code.
"No dependencies found"
- Ensure the
.csproj uses <PackageReference> elements
- Run
dotnet restore in the project directory
- Check that the file is valid XML
Graph renders blank / wrong topology
- Open Developer Tools in the Extension Development Host: Help → Toggle Developer Tools
- Check the Console tab for errors
- Stop the debug session and press F5 again to reload the extension host
Supported Project Types
- .NET Core / .NET 5+
- .NET Framework
- .NET Standard libraries
PackageReference formatpackages.config (legacy, parsed directly from XML)
Privacy
All analysis runs locally. No telemetry or personal data is collected or transmitted.
License
MIT
