[Bug Bash] The vulnerable info shows inconsistently between “Package Details” & “Version” dropdown list for the transitive package “Microsoft.Data.OData”

[v-luzh]

NuGet Product Used

Visual Studio Package Management UI

Product Version

Dev\6.13.0.99

Worked before?

2. It is not regression since it reproes on VS D17.12\35523.42 + NuGet Client 6.12.1.1.

Impact

It bothers me. A fix would be nice

Repro Steps & Context

Details about problem

VS Version: Main\35617.63
OS: Windows-11-Enterprise-23H2

Notes:  

1. The repro rate is 100%. 
2. It reproes after installing the versions: 5.8.0, 5.8.1, 5.8.2, 5.8.3 for package “Microsoft.Data.Services.Client” in step3.
3. It also reproes after installing the package with "packages.config" format in step 4.
4. It doesn't repro when installing this package “Microsoft.Data.OData” directly as top-level package, but it reproes after updating the package “Microsoft.Data.OData 5.8.0” from transitive package to top-level package.\

Repro Steps:   

1. Create a “C# Console App (.NET Framework 4.8.1)” project.   
2. Right-click the project in Solution Explorer window and select "Manage NuGet Packages…" menu item to open the PM UI. 
3. Select the package sources “nuget.org” from “Package source” dropdown box and search for the package “Microsoft.Data.Services.Client”.
4. Select.”5.8.0” in the “Version” dropdown list and install the package with "PackageReference" format.
5. Go to “Installed” tab and observe the package info in both “Package Details” & “Version” dropdown list for the transitive package “Microsoft.Data.OData”.

Expected Result:

The vulnerable info shows consistently between “Package Details” & “Version” dropdown list for the transitive package “Microsoft.Data.OData”.

Actual Result:

The vulnerable info shows inconsistently between “Package Details” & “Version” dropdown list for the transitive package “Microsoft.Data.OData” as the screenshot below.

[nkolev92]

I can repro too.

Data form nuget.org is consistent: https://api.nuget.org/v3-vulnerabilities/2024.12.13.05.09.02/vulnerability.base.json, https://api.nuget.org/v3/registration5-gz-semver2/microsoft.data.odata/index.json

[martinrrm]

Duplicate of https://github.com/NuGet/Client.Engineering/issues/3017, the warning icon on the packages list is a bad design

[jebriede]

Duplicate of NuGet/Client.Engineering#3017, the warning icon on the packages list is a bad design

I'm not sure this is a duplicate. This bug is in the project-level package manager which represents a single package version in the packages list, whereas NuGet/Client.Engineering#3017 is in the solution PM UI where the package in the list can represent more than one version.