feat: transitive dependency visibility in Dependency Health view (v2.2.0)

CHANGELOG.md

@@ -1,3 +1,40 @@
+## 2.2.0 - April 2026
+### Transitive Dependency Visibility
+
+#### Transitive Dependency Resolution
+- Dependency Health view now resolves the complete dependency set (direct and transitive) by parsing lockfiles and manifests directly.
+- Ecosystems with lockfiles (npm, Yarn, pnpm, Python/Poetry/uv, Rust, Ruby, Go, NuGet, Dart, PHP, Helm, Swift, Hex) resolve the full transitive tree automatically.
+- Maven and Gradle resolve direct dependencies from pom.xml and build.gradle. The extension prompts when a tree file is not found.
+- Docker and Helm resolve direct dependencies (base images and chart dependencies).
+- Summary bar shows total dependency count with direct/transitive breakdown and per-ecosystem composition for multi-ecosystem projects.
+
+#### Vulnerability, License, and Policy Overlays
+- Resolved dependencies found in Cloudsmith are checked for known vulnerabilities with severity indicators displayed inline.
+- License classification (permissive, weak copyleft, restrictive) and policy compliance status shown for all covered dependencies.
+- Summary bar aggregates vulnerability counts by severity, restrictive license count, and policy violation count.
+
+#### Upstream Proxy Gap Analysis
+- Dependencies not found in Cloudsmith are checked against configured upstream proxies across all repositories.
+- Each uncovered dependency shows whether it's reachable via an existing upstream or requires a new proxy to be configured.
+
+#### Tree Visualization
+- New tree view mode displays the full dependency hierarchy with collapsible parent-child relationships.
+- Diamond dependencies collapsed on subsequent occurrences to prevent exponential tree growth.
+- Filters prune the tree to show only vulnerable, uncovered, or restrictive-license dependency paths.
+- Three-way view toggle: direct only, all (flat), or all (tree).
+
+#### Pull Dependencies Through Upstream
+- New pull action caches uncovered dependencies through a selected repository's upstream proxy directly from the editor.
+- Repository selector shows only repositories with upstream proxies matching the project's dependency formats.
+- Right-click any individual uncovered dependency to pull just that package through an upstream.
+
+#### Compliance Report
+- New report view opens a dependency health summary in a dedicated editor panel with coverage, vulnerability, license, policy, and upstream gap analysis.
+
+#### UX Improvements
+- Toolbar consolidated to five inline actions: scan, pull, view mode cycle, sort and filter, and compliance report.
+- Format-specific icons displayed on uncovered dependencies for at-a-glance ecosystem identification.
+
 ## 2.1.1 - April 2026
 ### Fixed
 - Fixed erroneous error banner displaying in the Upstream Webview when all upstream data loaded successfully.

README.md

@@ -80,12 +80,12 @@ The right-click menu provides access to the following commands, varying dependin
 
 - **Inspect package** — View the full raw JSON API response for the package.
 - **Copy Install Command** — Copy the installation command for the package to the clipboard.
-- **Show Install Command** - Show the installation command for the package. 
-- **Show vulnerabilities** - Open a webview showing the vulnerabilities report for a package. 
-- **View package in Cloudsmith** - Open the package page in the Cloudsmith web UI for the configured workspace. 
-- **Promote Package** - Promote the package between configured repositories. 
-- **Show Promotion Status** - Show the current status of the package promotion request. 
-- **Find safe version** - Show possible safe versions of the package within Cloudsmith for quick remediation. 
+- **Show Install Command** - Show the installation command for the package.
+- **Show vulnerabilities** - Open a webview showing the vulnerabilities report for a package.
+- **View package in Cloudsmith** - Open the package page in the Cloudsmith web UI for the configured workspace.
+- **Promote Package** - Promote the package between configured repositories.
+- **Show Promotion Status** - Show the current status of the package promotion request.
+- **Find safe version** - Show possible safe versions of the package within Cloudsmith for quick remediation.
 
 <img src="media/readme/packagegroup_context_menu.jpg" alt="contextMenu" width="400"/>
 
@@ -109,6 +109,54 @@ If you have access to multiple workspaces, the explorer lets you switch between
 
 View vulnerability data associated with packages directly in the explorer, including security scan results when available.
 
+### Dependency Health
+
+The Dependency Health view scans your project's manifest and lockfiles, cross-references every declared and transitive dependency against your Cloudsmith workspace, and shows coverage, vulnerability, license, and policy status at a glance.
+
+#### Transitive Resolution
+
+The extension parses lockfiles and manifests directly. Most ecosystems resolve the full dependency tree from an existing lockfile. For ecosystems without a standard lockfile, the extension parses the manifest for direct dependencies and can optionally parse a generated dependency tree for transitives.
+
+| Ecosystem | Automatic (lockfile) | Direct only (manifest) | Notes |
+|-----------|---------------------|----------------------|-------|
+| npm / Yarn / pnpm | package-lock.json, yarn.lock, pnpm-lock.yaml | package.json | |
+| Python | poetry.lock, uv.lock, Pipfile.lock | pyproject.toml, requirements.txt | requirements.txt provides direct deps only |
+| Maven | | pom.xml | Run `mvn dependency:tree -DoutputFile=dependency-tree.txt` once to enable transitive resolution |
+| Gradle | gradle.lockfile | build.gradle, build.gradle.kts | Run `gradle dependencies` once if dependency locking is not enabled |
+| Go | go.mod | | go.mod marks direct vs indirect natively |
+| Rust | Cargo.lock | Cargo.toml | |
+| Ruby | Gemfile.lock | Gemfile | |
+| Docker | | Dockerfile, docker-compose.yml | All dependencies are direct (base images) |
+| NuGet | packages.lock.json | | |
+| Dart | pubspec.lock | | |
+| PHP | composer.lock | | |
+| Helm | Chart.lock | | Helm dependencies are all direct |
+| Swift | Package.resolved | | |
+| Elixir | mix.lock | | |
+
+#### View Modes
+
+- **Direct only** — shows only top-level manifest dependencies.
+- **All (flat)** — shows every resolved dependency in a flat list with direct/transitive labels.
+- **All (tree)** — shows the full dependency hierarchy. Diamond dependencies are collapsed to keep the tree manageable.
+
+#### Overlays
+
+Each dependency found in Cloudsmith is enriched with:
+- **Vulnerability status** — severity count and max severity inline, with click-through to CVE details.
+- **License classification** — permissive, weak copyleft, or restrictive, with configurable flagging.
+- **Policy compliance** — quarantine and policy violation indicators.
+
+Dependencies not found in Cloudsmith show upstream proxy reachability — whether a configured upstream could serve them.
+
+#### Pull Through Upstream
+
+Click "Pull dependencies" to cache uncovered dependencies through a repository's upstream proxy. The extension shows only repositories with matching upstream formats, pulls in parallel, and automatically rescans after completion. You can also right-click any individual dependency to pull just that one package.
+
+#### Compliance Report
+
+The report view opens a styled summary panel with coverage percentage, vulnerability breakdown by severity, license risk summary, policy compliance, and upstream gap analysis.
+
 ### Configuration & Settings
 
 The extension exposes several settings under `cloudsmith-vsc.*`:
@@ -121,13 +169,16 @@ The extension exposes several settings under `cloudsmith-vsc.*`:
 | `cloudsmith-vsc.defaultWorkspace` | Cloudsmith workspace slug to load by default. Leave empty to show all accessible workspaces. |
 | `cloudsmith-vsc.showPermissibilityIndicators` | Show visual indicators for quarantined packages and policy violations. Default: `true`. |
 | `cloudsmith-vsc.showLicenseIndicators` | Show license risk classification on packages. Default: `true`. |
+| `cloudsmith-vsc.flagRestrictiveLicenses` | Color-code restrictive licenses in the Dependency Health view. Default: `true`. |
+| `cloudsmith-vsc.restrictiveLicenses` | List of SPDX license identifiers flagged as restrictive. Default: `["AGPL-3.0", "GPL-2.0", "GPL-3.0", "SSPL-1.0"]`. |
 | `cloudsmith-vsc.showDockerDigestCommand` | Show an additional "Pull by digest" option for Docker install commands. Default: `false`. |
 | `cloudsmith-vsc.experimentalSSOBrowser` | Enable experimental browser-based SSO authentication. Default: `false`. |
-| `cloudsmith-vsc.useLegacyWebApp` | Use the legacy `cloudsmith.io` webapp for platform links. Default: `false`. |
 | `cloudsmith-vsc.autoScanOnOpen` | Automatically scan project dependencies against Cloudsmith when a workspace is opened. Default: `false`. |
 | `cloudsmith-vsc.dependencyScanWorkspace` | Cloudsmith workspace slug to use for dependency health scanning. |
 | `cloudsmith-vsc.dependencyScanRepo` | Cloudsmith repository slug to use for dependency health scanning. |
-| `cloudsmith-vsc.resolveTransitiveDependencies` | Resolve transitive (indirect) dependencies using the package manager CLI. Default: `false`. |
+| `cloudsmith-vsc.resolveTransitiveDependencies` | Parse lockfiles to resolve transitive dependencies. When disabled, only direct manifest dependencies are shown. Default: `true`. |
+| `cloudsmith-vsc.dependencyTreeDefaultView` | Default view mode for the Dependency Health panel: `direct`, `flat`, or `tree`. Default: `flat`. |
+| `cloudsmith-vsc.maxDependenciesToScan` | Maximum number of dependencies to display. Pull operations always process all dependencies regardless of this limit. Default: `10000`. |
 | `cloudsmith-vsc.searchPageSize` | Number of results per page when searching packages (10–100). Default: `50`. |
 | `cloudsmith-vsc.recentSearches` | Number of recent searches to remember (0–50). Default: `10`. |
 
@@ -145,8 +196,14 @@ All commands are available via the Command Palette (`Cmd+Shift+P`):
 | `Cloudsmith: Copy to Clipboard` | Copy a package detail value to the clipboard. |
 | `Cloudsmith: Refresh Packages` | Refresh the Cloudsmith explorer tree. |
 | `Cloudsmith: Search Packages` | Search for packages within a repository. |
+| `Cloudsmith: Scan Dependencies` | Scan project lockfiles and check dependency coverage against Cloudsmith. |
+| `Cloudsmith: Pull Dependencies` | Pull uncovered dependencies through a repository's upstream proxy. |
+| `Cloudsmith: Pull Dependency` | Pull a single dependency through an upstream proxy (right-click context menu). |
+| `Cloudsmith: View Compliance Report` | Open the dependency health compliance report in an editor panel. |
+| `Cloudsmith: Cycle Dependency View` | Switch between direct, flat, and tree view modes. |
+| `Cloudsmith: Sort and Filter Dependencies` | Open sort and filter options for the Dependency Health view. |
 
 
 ## License
 
-Apache 2.0
+Apache 2.0