Dependency Scanning: Link users to file where vulnerability is occurring not the lock file.
Background
Today for Dependency Scanning we link users to the lock file where we've detected an issue. However, if the user wants to fix the problem then going to the lock file is considered bad practice based on conversations with @plafoucriere. We should instead, link users to the file that they should edit to fix the vulnerability.
Problem
We link users to the lock file in some cases with dependency scanning which should not be manually edited.
Solution
Link users to the file they need to edit to fix the vulnerability.