(Assumption for the following: Node-based projects - I don’t know whether there are vulnerability alerts for other types too.)
First of all, it would be great if the vulnerability alerts would mention whether the vulnerability in question is a devDependency or a regular one.
Secondly, it would be really helpful if it could be traced back to the “root” dependency because of which it exists in the project - see e.g. yarn why. And provide information about the currently used and latest version for those root dependencies. Because then I can tell at a glance whether it’s something that’s quite probably either within or out of my control.
Sidenote: It would also be great if you could not send multiple emails within a few seconds that are obviously triggered by the same scan. Just aggregate them into one? Less noise for the users, possibly lower cost (traffic) for you.