l3montree-dev
Suggested quickfixes for transitive dependencies should be actionable or omitted
Is your feature request related to a problem? Please describe.
For transitive dependencies, the "quick fix" box is in its current state, as far as I can tell, mostly noise.
For instance, in this dependency graph from a project that has a dependency on playwright, many layers down there is a dependency on ip.
The info and suggestion are as such:
Updating like this is not really a viable solution in almost all cases for transitive dependencies. At the risk of sounding negative, suggestions that are bogus at first glance mostly teach my brain to ignore such boxes as UI noise :)
Describe the solution you'd like
A better but complicated improvement could be to display info about the direct dependency, since that is the one that the user will actually update, and enrich it with some info related to the security issue. In this example, three version numbers might be of interest:
- The minimum version that resolves the specific issue
- The newest version that doesn't go to a new major version
- The latest version
If it's easily available, timestamps would also be helpful info :)
Describe alternatives you've considered
In scenarios where the quick fix info is likely pointless, such as for transitive dependencies here, a simple improvement would be to just show nothing, or a more correct though vague suggestion like "Updating playwright might resolve this issue". But this might be a personal preference.
