Reconsider vulnerability views in VS NuGet PM UI areas

[timheuer]

NuGet Product(s) Affected

Visual Studio Package Management UI

Current Behavior

When trying to view vulnerability information in VS, there is a lot of disconnect between audit modes, the visuals, the PM UI, and solution explorer dependencies nodes.

If auditmode=direct...
PM UI shows ⚠️ and if I click on them I think it is telling me which projects are affected. But if I hover over the vulnerable item the tooltip only shows me one item and is not a project but a package? and if I navigate to one of the projects in the list, there is nothing in Solution Explorer that is giving me any information.

if auditmode=all...
PM UI shows the same, but now the tooltip data is different it seems to pick one of the projects (better) but not all of them? unclear why only one project is listed. but now SE is showing me ⛔ int he dependencies node and i can spelunk that more and try to find out.

Desired Behavior

I don't know what the 'correct' UX is here, but there is a large disconnect for me between the modes and visuals and UX chosen (tooltip). I think this would benefit from a re-imagining of a 'vulnerability view' aspect that helps me make it very clear. Apparently the dotnet nuget why does this in one shot (I couldn't get that working in this repo).

Additional Context

No response