Warn when a package is referenced and is not a direct dependency

[steinybot]

I would like an option to warn when something is referenced and it is not listed as a direct dependency and is instead being pulled in transitively.

This causes all kinds of problems when updating libraries that then pull in different versions of a transitive or even more unexpectedly when removing a direct dependency that shares a transitive dependency with another and then the version changes. Lock files don't help here, they only help when it is a direct dependency which this option would help to enforce.

This is the exact opposite of #108.

I come from Scala where we have this sbt build plugin that enforces explicit and no unused dependencies: https://github.com/cb372/sbt-explicit-dependencies

[janthomasQS]

For packagereferences i think one could achieve this by setting all packagereferences to PrivateAssets="compile" with an ItemDefinitionGroup. For ProjectReferences this can be achieved by setting <DisableTransitiveProjectReferences>.

Both of these have the caveat that it is not a warning but instead won't even compile if you use a dependency transitively.