(Assumption for the following: Node-based projects - I don't know whether there are vulnerability alerts for other types too.)
First of all, it would be great if the vulnerability alerts would mention whether the vulnerability in question is a devDependency or a regular one.
Secondly, it would be really helpful if it could be traced back to the "root" dependency because of which it exists in the project - see e.g. yarn why. And provide information about the currently used and latest version for those root dependencies. Because then I can tell at a glance whether it's something that's quite probably either within or out of my control.
Sidenote: It would also be great if you could not send multiple emails within a few seconds that are obviously triggered by the same scan. Just aggregate them into one? Less noise for the users, possibly lower cost (traffic) for you.
Thanks so much for taking the time to write in about this!!
I have passed your suggestion along to the engineering team. I can't promise if or when we will implement support all your suggestions, but your feedback is definitely in the right hands.
Mark helpful posts with Accept as Solution to help other users locate important info. Don't forget to give Kudos for great content!