-
Notifications
You must be signed in to change notification settings - Fork 252
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Show vulnerabilities in transitive packages for PackageReference type projects in PMUI #8756
Comments
Thanks, @nkolev92. I wasn't aware of #5887, and it's a very important piece of background here. It looks on the surface like this issue is dependent on #5887 rather than a dupe of it. I've renamed this issue to track the specifics of showing vulnerabilities in transitive packages. #5887 has some interesting flowthroughs to this issue: #5553 and this epic: #5877. It seems like there is more discussion to be had in this space before transitive dependencies for In the spec https://github.com/NuGet/Home/wiki/Flag-vulnerable-packages, the MVP includes this:
It's important to note that this bullet point encompasses #5887 and all of its longstanding discussions. |
This needs to be spiked before it can have a real estimate. |
Note for implementer: I added a pessimistic estimate in the client project. https://github.com/NuGet/Client.Engineering/pull/1391 has info that should be really helpful. |
A developer should be able to see a package vulnerability indicator for any known vulnerability in a transitive package in their dependency graph. 95% of vulnerable dependencies are transitive ones and we should bring awareness to this to help the ecosystem shift left.
The text was updated successfully, but these errors were encountered: