"Vulns" should not be surfaced for transitive dependency vulnerabilities #1984
Description
Surfacing that a (version of) package itself has a reported vulnerability is useful information for end-users. But transitive (deep/nested) vulnerabilities are much more likely to be false positives. False positives from "dumb" audit report mechanisms such as npm audit are a big source of spam in open source (https://overreacted.io/npm-audit-broken-by-design, https://arxiv.org/abs/2601.20240, https://www.joshuakgoldberg.com/blog/please-stop-sending-me-nested-dependency-security-reports if you'll permit my self-post, etc.). For example, in Mocha we receive a few well-intended spam issues every time a new transitive vulnerability is reported (e.g. mochajs/mocha#5779, mochajs/mocha#5780).
Without a way for packages to register themselves as unaffected, having that big angry Vulns indicator on the package makes it seem like the transitive vulnerabilities impact the package. I'd really prefer for the newer better npmjs to not contribute to this common misperception that transitive vulnerabilities are by nature relevant vulnerabilities. A lot of devs will look at a package registry page, see a bad text+number combo, and not read any further.
Vague straw man starting proposal: how about adding a toggle to Vulns about whether to count transitive dependencies? It can be off-by-default and have informative text about false reports attached to it, to help make sure folks only get that info if they've been informed about its downsides.
