Vulnerability in EPiServer.Forms
1. Put EPiServer.Cms.Shell.UI and other assemblies shipped through the add-ons channel to the regular NuGet feed, perhaps with a package name suffixed with "-for-development". Use case: A developer is building an extension of some sort that references one or more such assemblies. The dev doesn't want to check the assemblies in to version control (might be an open source project and you don't allow sharing the DLLS, or it might be he/she is playing Jack Reacher for a day). Instead the developer installs the NuGet package and configures the project to use package restore, both for other devs and for build servers.
2. Put CMS assemblies required by the CMS that aren't a part of any of the existing packages on the NuGet feed. That way site devs don't have to check them in using some libraries folder and you can in the future configure demo/sample/template sites to use NuGet out of the box.
This could apply for Relate and Commerce products as well.
On (2) I definitely agree and for the upcoming release we have fixed most (if not all) of these dependencies.
On (1) I'm a bit more reluctant. I see a big risk that we will have projects taking dependencies on add-on assemblies without fulfilling the obligations that's required for that - in practice, only add-ons are allowed to take dependencies on other add-ons. I poked around our documentation but found very little on the subject (bug reported).