Github recently introduced a feature that notifies you about security vulnerabilities in your package-lock.json. I would like to resolve these issues, but the majority of packages listed here are dependencies of my dependencies, and so it is unclear which top level (listed in my package.json) package needs to be upgraded in order to address the issue.
I realize that I could go into my package-lock.json, find the package, trace it up until I get to a package in my package.json, but that seems unnecessarily tedious when I have dozens of packages to update. Writing a script to automate that wouldn't be too hard either, but before I undertake that effort my hope is theres either an existing tool or (ideally) npm function that will simply give me the answer.
So, riding the assumption that I can't possibly be the first person to want to do this, my question is:
How can I determine which package in my package.json resulted in another particular package being listed in my package-lock.json without manually going through the package-lock and tracing back every package?
