feat: add vulnerability banner

Author: Flo0806

app/components/DependencyPathPopup.vue

@@ -0,0 +1,124 @@
+<script setup lang="ts">
+defineProps<{
+  /** Dependency path from root to vulnerable package (readonly from VulnerabilityTreeResult) */
+  path: readonly string[]
+}>()
+
+const { t } = useI18n()
+
+const isOpen = shallowRef(false)
+const popupEl = ref<HTMLElement | null>(null)
+const popupPosition = shallowRef<{ top: number; left: number } | null>(null)
+
+// Function ref - captures the element when popup mounts
+function setPopupRef(el: unknown) {
+  popupEl.value = (el as HTMLElement) || null
+}
+
+function closePopup() {
+  isOpen.value = false
+}
+
+// Close popup on click outside
+onClickOutside(popupEl, () => {
+  if (isOpen.value) closePopup()
+})
+
+// Close popup on ESC or scroll
+function handleKeydown(e: KeyboardEvent) {
+  if (e.key === 'Escape') closePopup()
+}
+
+onMounted(() => {
+  document.addEventListener('keydown', handleKeydown)
+  window.addEventListener('scroll', closePopup, true)
+})
+
+onUnmounted(() => {
+  document.removeEventListener('keydown', handleKeydown)
+  window.removeEventListener('scroll', closePopup, true)
+})
+
+function togglePopup(event: MouseEvent) {
+  if (isOpen.value) {
+    closePopup()
+  } else {
+    const button = event.currentTarget as HTMLElement
+    const rect = button.getBoundingClientRect()
+    popupPosition.value = {
+      top: rect.bottom + 4,
+      left: rect.left,
+    }
+    isOpen.value = true
+  }
+}
+
+function getPopupStyle(): Record<string, string> {
+  if (!popupPosition.value) return {}
+  return {
+    top: `${popupPosition.value.top}px`,
+    left: `${popupPosition.value.left}px`,
+  }
+}
+
+// Parse package string "name@version" into { name, version }
+function parsePackageString(pkg: string): { name: string; version: string } {
+  const atIndex = pkg.lastIndexOf('@')
+  if (atIndex > 0) {
+    return { name: pkg.slice(0, atIndex), version: pkg.slice(atIndex + 1) }
+  }
+  return { name: pkg, version: '' }
+}
+</script>
+
+<template>
+  <div class="relative">
+    <!-- Path badge button -->
+    <button
+      type="button"
+      class="path-badge font-mono text-[10px] px-1.5 py-0.5 rounded bg-amber-500/10 border border-amber-500/30 text-amber-700 dark:text-amber-400 cursor-pointer transition-all duration-200 ease-out whitespace-nowrap flex items-center gap-1 hover:bg-amber-500/20 hover:border-amber-500/50"
+      :aria-expanded="isOpen"
+      @click.stop="togglePopup"
+    >
+      <span class="i-carbon-tree-view w-3 h-3" aria-hidden="true" />
+      <span>{{ t('package.vulnerabilities.path') }}</span>
+    </button>
+
+    <!-- Tree popup -->
+    <div
+      v-if="isOpen"
+      :ref="setPopupRef"
+      class="fixed z-[100] bg-bg-elevated border border-border rounded-lg shadow-xl p-3 min-w-64 max-w-sm"
+      :style="getPopupStyle()"
+    >
+      <ul class="list-none m-0 p-0 space-y-0.5">
+        <li
+          v-for="(pathItem, idx) in path"
+          :key="idx"
+          class="font-mono text-xs"
+          :style="{ paddingLeft: `${idx * 12}px` }"
+        >
+          <span v-if="idx > 0" class="text-fg-subtle mr-1">└─</span>
+          <NuxtLink
+            :to="{
+              name: 'package',
+              params: {
+                package: [
+                  ...parsePackageString(pathItem).name.split('/'),
+                  'v',
+                  parsePackageString(pathItem).version,
+                ],
+              },
+            }"
+            class="hover:underline"
+            :class="idx === path.length - 1 ? 'text-fg font-medium' : 'text-fg-muted'"
+            @click="closePopup"
+          >
+            {{ pathItem }}
+          </NuxtLink>
+          <span v-if="idx === path.length - 1" class="ml-1 text-amber-500">⚠</span>
+        </li>
+      </ul>
+    </div>
+  </div>
+</template>

app/components/PackageVulnerabilityTree.vue

@@ -1,17 +1,17 @@
 <script setup lang="ts">
 import { SEVERITY_LEVELS } from '#shared/types'
 import { SEVERITY_COLORS } from '#shared/utils/severity'
-import { useVulnerabilityTree } from '~/composables/useVulnerabilityTree'
 
 const props = defineProps<{
   packageName: string
   version: string
 }>()
 
+const { t } = useI18n()
+
 const {
   data: vulnTree,
   status,
-  error,
   fetch: fetchVulnTree,
 } = useVulnerabilityTree(
   () => props.packageName,
@@ -27,33 +27,30 @@ const hasVulnerabilities = computed(
   () => vulnTree.value && vulnTree.value.vulnerablePackages.length > 0,
 )
 
-// Banner
-const bannerColor = 'border-yellow-500/30 bg-yellow-500/10 text-yellow-400'
+// Banner - amber for better light mode contrast
+const bannerColor = 'border-amber-600/40 bg-amber-500/10 text-amber-700 dark:text-amber-400'
 
 const summaryText = computed(() => {
   if (!vulnTree.value) return ''
   const { totalCounts } = vulnTree.value
   return SEVERITY_LEVELS.filter(s => totalCounts[s] > 0)
-    .map(s => `${totalCounts[s]} ${s}`)
+    .map(s => `${totalCounts[s]} ${t(`package.vulnerabilities.severity.${s}`)}`)
     .join(', ')
 })
 
-// Styling for each depth level - using design tokens for accessible contrast
+// Styling for each depth level - using accessible colors for both themes
 const depthStyles = {
   root: {
-    bg: 'bg-yellow-500/5 border-l-2 border-l-yellow-500',
+    bg: 'bg-amber-500/5 border-l-2 border-l-amber-600',
     text: 'text-fg',
-    tooltip: 'This package',
   },
   direct: {
-    bg: 'bg-orange-500/5 border-l-2 border-l-orange-500',
+    bg: 'bg-amber-500/5 border-l-2 border-l-amber-500',
     text: 'text-fg-muted',
-    tooltip: 'Direct dependency',
   },
   transitive: {
-    bg: 'bg-orange-500/5 border-l-2 border-l-orange-700',
+    bg: 'bg-amber-500/5 border-l-2 border-l-amber-400',
     text: 'text-fg-muted',
-    tooltip: 'Transitive dependency (indirect)',
   },
 } as const
 
@@ -67,7 +64,11 @@ function getDepthStyle(depth: string | undefined) {
 </script>
 
 <template>
-  <section v-if="status === 'success' && hasVulnerabilities" aria-labelledby="vuln-tree-heading">
+  <section
+    v-if="status === 'success' && hasVulnerabilities"
+    aria-labelledby="vuln-tree-heading"
+    class="relative"
+  >
     <!-- Collapsible vulnerability banner -->
     <div role="alert" class="rounded-lg border overflow-hidden" :class="bannerColor">
       <!-- Header -->
@@ -81,9 +82,17 @@ function getDepthStyle(depth: string | undefined) {
         <div class="flex items-center gap-2 min-w-0">
           <span class="i-carbon-warning-alt w-4 h-4 shrink-0" aria-hidden="true" />
           <span class="font-mono text-sm font-medium truncate">
-            {{ vulnTree!.totalCounts.total }}
-            {{ vulnTree!.totalCounts.total === 1 ? 'vulnerability' : 'vulnerabilities' }}
-            in {{ vulnTree!.vulnerablePackages.length }}/{{ vulnTree!.totalPackages }} packages
+            {{
+              t(
+                'package.vulnerabilities.tree_found',
+                {
+                  vulns: vulnTree!.totalCounts.total,
+                  packages: vulnTree!.vulnerablePackages.length,
+                  total: vulnTree!.totalPackages,
+                },
+                vulnTree!.totalCounts.total,
+              )
+            }}
           </span>
         </div>
         <div class="flex items-center gap-2 shrink-0">
@@ -106,26 +115,16 @@ function getDepthStyle(depth: string | undefined) {
             :class="getDepthStyle(pkg.depth).bg"
           >
             <div class="flex items-center justify-between gap-2 mb-2">
-              <div class="flex items-center gap-2 min-w-0">
-                <!-- Depth indicator icon with tooltip -->
-                <span
-                  v-if="pkg.depth === 'transitive'"
-                  class="i-carbon-tree-view w-3.5 h-3.5 shrink-0 cursor-help"
-                  :class="getDepthStyle(pkg.depth).text"
-                  :title="getDepthStyle(pkg.depth).tooltip"
-                />
-                <span
-                  v-else-if="pkg.depth === 'direct'"
-                  class="i-carbon-arrow-right w-3.5 h-3.5 shrink-0 cursor-help"
-                  :class="getDepthStyle(pkg.depth).text"
-                  :title="getDepthStyle(pkg.depth).tooltip"
-                />
+              <div class="flex items-center gap-2 min-w-0 relative">
+                <!-- Path badge - click to show tree popup -->
+                <DependencyPathPopup v-if="pkg.path && pkg.path.length > 1" :path="pkg.path" />
+
                 <NuxtLink
                   :to="{
                     name: 'package',
                     params: { package: [...pkg.name.split('/'), 'v', pkg.version] },
                   }"
-                  class="font-mono text-sm font-medium hover:underline truncate"
+                  class="font-mono text-sm font-medium hover:underline truncate shrink min-w-0"
                   :class="getDepthStyle(pkg.depth).text"
                 >
                   {{ pkg.name }}@{{ pkg.version }}
@@ -138,7 +137,7 @@ function getDepthStyle(depth: string | undefined) {
                   class="px-1.5 py-0.5 text-[10px] font-mono rounded border"
                   :class="SEVERITY_COLORS[s]"
                 >
-                  {{ pkg.counts[s] }} {{ s }}
+                  {{ pkg.counts[s] }} {{ t(`package.vulnerabilities.severity.${s}`) }}
                 </span>
               </div>
             </div>
@@ -160,7 +159,7 @@ function getDepthStyle(depth: string | undefined) {
                 <span class="truncate">{{ vuln.summary }}</span>
               </li>
               <li v-if="pkg.vulnerabilities.length > 2" class="text-xs text-fg-subtle">
-                +{{ pkg.vulnerabilities.length - 2 }} more
+                {{ t('package.vulnerabilities.more', { count: pkg.vulnerabilities.length - 2 }) }}
               </li>
             </ul>
           </li>
@@ -172,13 +171,26 @@ function getDepthStyle(depth: string | undefined) {
           class="w-full px-4 py-2 text-xs font-mono text-fg-muted hover:text-fg border-t border-border transition-colors duration-200"
           @click="showAllPackages = true"
         >
-          show all {{ vulnTree!.vulnerablePackages.length }} affected packages
+          {{
+            t('package.vulnerabilities.show_all_packages', {
+              count: vulnTree!.vulnerablePackages.length,
+            })
+          }}
         </button>
+
+        <!-- Warning if some queries failed -->
+        <div
+          v-if="vulnTree!.failedQueries"
+          class="px-4 py-2 text-xs text-fg-subtle border-t border-border flex items-center gap-2"
+        >
+          <span class="i-carbon-warning w-3 h-3" aria-hidden="true" />
+          <span>{{ t('package.vulnerabilities.packages_failed', vulnTree!.failedQueries) }}</span>
+        </div>
       </div>
     </div>
   </section>
 
-  <!-- Loading state -->
+  <!-- Loading state - muted -->
   <section
     v-else-if="status === 'pending' || status === 'idle'"
     aria-labelledby="vuln-tree-loading"
@@ -189,34 +201,41 @@ function getDepthStyle(depth: string | undefined) {
           class="i-carbon-circle-dash w-4 h-4 animate-spin motion-reduce:animate-none text-fg-subtle"
           aria-hidden="true"
         />
-        <span class="text-sm text-fg-subtle">Scanning dependency tree...</span>
+        <span class="text-sm text-fg-muted">{{ t('package.vulnerabilities.scanning_tree') }}</span>
       </div>
     </div>
   </section>
 
-  <!-- No vulnerabilities found -->
+  <!-- No vulnerabilities found - muted, not attention-grabbing -->
   <section
     v-else-if="status === 'success' && !hasVulnerabilities"
     aria-labelledby="vuln-tree-success"
   >
-    <div class="rounded-lg border border-green-500/30 bg-green-500/10 px-4 py-3">
+    <div class="rounded-lg border border-border bg-bg-subtle px-4 py-3">
       <div class="flex items-center gap-2">
-        <span class="i-carbon-checkmark-filled w-4 h-4 text-green-400" aria-hidden="true" />
-        <span class="text-sm text-green-400">
-          No known vulnerabilities in {{ vulnTree?.totalPackages ?? 0 }} packages
+        <span class="i-carbon-checkmark w-4 h-4 text-fg-subtle" aria-hidden="true" />
+        <span class="text-sm text-fg-muted">
+          {{ t('package.vulnerabilities.no_known', { count: vulnTree?.totalPackages ?? 0 }) }}
         </span>
       </div>
+      <!-- Warning if some queries failed -->
+      <div
+        v-if="vulnTree?.failedQueries"
+        class="flex items-center gap-2 mt-2 text-xs text-fg-subtle"
+      >
+        <span class="i-carbon-warning w-3 h-3" aria-hidden="true" />
+        <span>{{ t('package.vulnerabilities.packages_failed', vulnTree.failedQueries) }}</span>
+      </div>
     </div>
   </section>
 
-  <!-- Error state -->
+  <!-- Error state - subtle, not alarming -->
   <section v-else-if="status === 'error'" aria-labelledby="vuln-tree-error">
-    <div class="rounded-lg border border-red-500/30 bg-red-500/10 px-4 py-3">
+    <div class="rounded-lg border border-border bg-bg-subtle px-4 py-3">
       <div class="flex items-center gap-2">
-        <span class="i-carbon-warning-alt w-4 h-4 text-red-400" aria-hidden="true" />
-        <span class="text-sm text-red-400">
-          Failed to scan vulnerabilities
-          <template v-if="error?.message">: {{ error.message }}</template>
+        <span class="i-carbon-warning w-4 h-4 text-fg-subtle" aria-hidden="true" />
+        <span class="text-sm text-fg-muted">
+          {{ t('package.vulnerabilities.scan_failed') }}
         </span>
       </div>
     </div>

app/composables/useVulnerabilityTree.ts

@@ -1,5 +1,4 @@
 import type { VulnerabilityTreeResult } from '#shared/types/osv'
-import { encodePackageName } from './useNpmRegistry'
 
 /**
  * Shared composable for vulnerability tree data.
@@ -12,7 +11,7 @@ export function useVulnerabilityTree(
   // Build a stable key from the current values
   const name = toValue(packageName)
   const ver = toValue(version)
-  const key = `vuln-tree:${name}@${ver}`
+  const key = `vuln-tree:v1:${name}@${ver}`
 
   // Use useState for SSR-safe caching across components
   const data = useState<VulnerabilityTreeResult | null>(key, () => null)