PM UI should show transitive path
zivkan opened this issue · comments
NuGet Product(s) Affected
Visual Studio Package Management UI
Current Behavior
When hovering a package in the "installed" package list, when the package is a transitve package, it will tell you a top level package that caused the package to be included:
Desired Behavior
The tooltip should show the full path of all intermediate packages. This is because when dealing with transitive packages with known vulnerabilities, some customers (and my personal recommendation) is to upgrade the "closest to direct" package to a higher version where packages with known vulnerabilities are removed.
For example, consider a package path, as shown by the new dotnet nuget why
command:
[net8.0]
│
└─ YesSql (v5.0.0)
└─ YesSql.Provider.SqlServer (v5.0.0)
├─ Azure.Identity (v1.11.2)
│ ├─ Microsoft.Identity.Client (v4.60.3)
│ └─ Microsoft.Identity.Client.Extensions.Msal (v4.60.3)
│ └─ Microsoft.Identity.Client (v4.60.3)
└─ Microsoft.Data.SqlClient (v5.2.0)
├─ Azure.Identity (v1.11.2)
│ ├─ Microsoft.Identity.Client (v4.60.3)
│ └─ Microsoft.Identity.Client.Extensions.Msal (v4.60.3)
│ └─ Microsoft.Identity.Client (v4.60.3)
└─ Microsoft.Identity.Client (v4.60.3)
As a developer, I'd prefer to update the YesSql
package to a newer version, but if no newer version exists, then I'd like to update YesSql.Provider.SqlServer
, and my next preference is Azure.identity
or Microsoft.Data.SqlClient
, etc. In order to investigate upgrading these packages, I need to know the package path, not just the direct/root package that brought in the dependency.
Additional Context
No response
This was initially considered when I initially proposed this but there was no clean way to do this in a tooltip that isn't the size of supercalifragilisticexpialidocious. I wanted people to know the root of where to start looking.
I think we could empower the tooltip by pointing users to other methods like you suggest which is the next in precedent order. Maybe even a whole docs page on this could help in addressing transitive woes.
Tagging @albarry4 in case she has some ideas on this UI/UX or we can get a quick design review to figure out more options.
What about the following alternative suggestions:
The tooltip could contain a link that takes you to the solution explorer where the vulnerable package is selected and visible in the scroll area, and where the whole path to the vulnerable package is expanded.
The tooltip could contain a link that takes you directly to the parent package in the PM UI list.