List dependency updates in MR

Release notes

Problem to solve

When reviewing a MR, I want to quickly check the project dependencies that have been upgraded or downgraded. This helps me assess the risk of introducing a bug or a security issue.

If the MR has been created to update a specific dependency, I can review what's been updated as a side-effect of that update. In particular, it helps me review MRs created by Auto-Remediation for Dependency Scanning.

I need to compare the new package version (in the source branch) to the current one (in the target branch).

Proposal

In the MR, list of all the project dependencies that have changed. The list must at least contain:

• package type/package manager
• package name
• current version, in target branch
• new version, in the source branch

Ideally this list is similar to the existing Dependency List, with an extra column to show the new versions (in source branch).

TBD: The list might also contain newly introduced dependencies as well as dependencies that have been removed. This is related to the Security Gates for new dependencies. cc @plafoucriere

Technically this feature can be implemented by comparing the (latest) Dependency Scanning report for the source branch to the (latest) report for the target branch, in the Rails backend. cc @brytannia

/cc @NicoleSchwartz @gonzoyumo @ngeorge1

This page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc.