NuGet launched a vulnerability auditing feature last year and would like to enhance the experience further with project system help!
Today a user must directly navigate to a transitive package to see a warning produced when NuGetAuditMode = all
Ideally these warnings would bubble up the entire packages tree similar to what you see with a top-level dependency:
At the end of the day, if there is a transitive dependency vulnerability warning, it should show in the Dependencies node so the user knows how to spelunk to find the culprit. This will also complement CLI work we did in a command called dotnet nuget why which allows you to do similar.
User Impact
Many users use the solution explorer to view their dependency tree alongside the newly released transitive dependencies in visual studio functionality that only works for project-level today.
In developer surveys, we found that the solution explorer is one of the most desired places for people to view vulnerability information about their dependencies.
More user impact/motivation can be found in an older proposal that is related more-so to the iconography of these indicators
Summary
NuGet launched a vulnerability auditing feature last year and would like to enhance the experience further with project system help!
Today a user must directly navigate to a transitive package to see a warning produced when
NuGetAuditMode = allIdeally these warnings would bubble up the entire packages tree similar to what you see with a top-level dependency:
At the end of the day, if there is a transitive dependency vulnerability warning, it should show in the
Dependenciesnode so the user knows how to spelunk to find the culprit. This will also complement CLI work we did in a command calleddotnet nuget whywhich allows you to do similar.User Impact
Many users use the solution explorer to view their dependency tree alongside the newly released transitive dependencies in visual studio functionality that only works for project-level today.
In developer surveys, we found that the solution explorer is one of the most desired places for people to view vulnerability information about their dependencies.
More user impact/motivation can be found in an older proposal that is related more-so to the iconography of these indicators