[Feature]: When uploading a package, warn package authors when a known vulnerability is detected through package verification #9436
Description
Related Problem
No response
The Elevator Pitch
When a package author is uploading a package to NuGet.org, we should validate that it supports up-to-date dependencies through a vulnerability scan which brings awareness to the author of any top-level or transitive dependencies that may be resolved from the consumer side containing a known vulnerability.
If a package dependency or transitive dependency contains a known vulnerability, a security banner may appear to provide more information about the vulnerability and any remediation steps such as including an up-to-date dependency version that may contain a patch so the package author can make a proper alteration and re-upload helping the ecosystem shift-left in the rare occurrence a vulnerability is detected.
There will be cases where the author will not be able to make such changes as the changes may be out of their control and may decide to publish anyway. The banner should serve as a means of bringing awareness and helping file the appropriate security concerns to address in the next package version or hold off on publishing a version until a fix is resolved in their dependency graph.
Additional Context and Details
No response