Fetching Vulnerability Resources doesn't respect cancellation

NuGet Product Used

dotnet.exe

Product Version

.NET 9 preview 7

Worked before?

No response

Impact

It's more difficult to complete my work

Repro Steps & Context

This requires a vulnerability information provider to have a network problem, either simulated or real. For me, the Azure outage this Thursday evening presented such that when I cancelled a dotnet build of the dotnet/sdk repo MSBuild attempted to cancel the build but the Restore continued - I got error messages like the following after the 90s timeout finished:

E:\Code\dotnet-sdk\src\Layout\toolset-tasks\toolset-tasks.csproj : error NU1900: Warning As Error: Error occurred while getting package vulnerability data: Unable to load the service index for source https://pkgs.dev.azure.com/dnceng/public/_packaging/dotnet6/nuget/v3/index.json.

and

E:\Code\dotnet-sdk\artifacts\bin\redist\Debug\dotnet\sdk\9.0.100-dev\NuGet.targets(180,5): warning MSB4220: Waiting for the currently executing task "RestoreTask" to cancel.

To me this felt like a classic case of not passing a CTok, or using CTok.None. I dug into the RestoreTask and found that

RestoreDoes set up and pass a CTok
Restores are run for each request
Also run here
Audit is performed, which requires
packages vulnerabilities to be checked, which requires
fetching vulnerability data, which requires
querying vulnerability data from the configured providers

Through this whole chain the CTok is flowed in a way that makes sense to me. However, the Vulnerability provider interface seems to accept a CTok, but not use it, perhaps for caching purposes?

I think if this was changed to accept the flowed-in CTok in some way that Restore would be properly cancellable again.

Verbose Logs

I don't have standalone logs, but I did include some error messages above.

NuGet / Home