Bubble-up Known Vulnerability Indicators in Solution Explorer for Transitive Packages #13636
Labels
Milestone
Comments
zivkan
added
Product:VS.Client
Priority:2
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
NuGet Product(s) Involved
Visual Studio Package Management UI
The Elevator Pitch
NuGet launched a vulnerability auditing feature last year and would like to enhance the experience further with project system help!
Today a user must directly navigate to a transitive package to see a warning produced when
NuGetAuditMode = allIdeally these warnings would bubble up the entire packages tree similar to what you see with a top-level dependency:
At the end of the day, if there is a transitive dependency vulnerability warning, it should show in the
Dependenciesnode so the user knows how to spelunk to find the culprit. This will also complement CLI work we did in a command calleddotnet nuget whywhich allows you to do similar.Additional Context and Details
Many users use the solution explorer to view their dependency tree alongside the newly released transitive dependencies in visual studio functionality that only works for project-level today.
In developer surveys, we found that the solution explorer is one of the most desired places for people to view vulnerability information about their dependencies.
More user impact/motivation can be found in an older proposal that is related more-so to the iconography of these indicators
The text was updated successfully, but these errors were encountered: