PM UI should show transitive path

Question

PM UI should show transitive path

zivkan opened this issue a month ago · comments

NuGet Product(s) Affected

Visual Studio Package Management UI

Current Behavior

When hovering a package in the "installed" package list, when the package is a transitve package, it will tell you a top level package that caused the package to be included:

Desired Behavior

The tooltip should show the full path of all intermediate packages. This is because when dealing with transitive packages with known vulnerabilities, some customers (and my personal recommendation) is to upgrade the "closest to direct" package to a higher version where packages with known vulnerabilities are removed.

For example, consider a package path, as shown by the new dotnet nuget why command:

  [net8.0]
   │
   └─ YesSql (v5.0.0)
      └─ YesSql.Provider.SqlServer (v5.0.0)
         ├─ Azure.Identity (v1.11.2)
         │  ├─ Microsoft.Identity.Client (v4.60.3)
         │  └─ Microsoft.Identity.Client.Extensions.Msal (v4.60.3)
         │     └─ Microsoft.Identity.Client (v4.60.3)
         └─ Microsoft.Data.SqlClient (v5.2.0)
            ├─ Azure.Identity (v1.11.2)
            │  ├─ Microsoft.Identity.Client (v4.60.3)
            │  └─ Microsoft.Identity.Client.Extensions.Msal (v4.60.3)
            │     └─ Microsoft.Identity.Client (v4.60.3)
            └─ Microsoft.Identity.Client (v4.60.3)

As a developer, I'd prefer to update the YesSql package to a newer version, but if no newer version exists, then I'd like to update YesSql.Provider.SqlServer, and my next preference is Azure.identity or Microsoft.Data.SqlClient, etc. In order to investigate upgrading these packages, I need to know the package path, not just the direct/root package that brought in the dependency.

Additional Context

No response

Jon Douglas · Answer 1 · Thu Jul 04 2024 04:12:34 GMT+0800 (China Standard Time)

This was initially considered when I initially proposed this but there was no clean way to do this in a tooltip that isn't the size of supercalifragilisticexpialidocious. I wanted people to know the root of where to start looking.

I think we could empower the tooltip by pointing users to other methods like you suggest which is the next in precedent order. Maybe even a whole docs page on this could help in addressing transitive woes.

Tagging @albarry4 in case she has some ideas on this UI/UX or we can get a quick design review to figure out more options.

cremor · Answer 2 · Sat Jul 20 2024 16:25:58 GMT+0800 (China Standard Time)

What about the following alternative suggestions:

The tooltip could contain a link that takes you to the solution explorer where the vulnerable package is selected and visible in the scroll area, and where the whole path to the vulnerable package is expanded.

The tooltip could contain a link that takes you directly to the parent package in the PM UI list.