Hey, thanks for sharing @fridex, this looks really interesting.
Personally, I’d love to see installers like pip be able to take vulnerability data into account during resolution and installation. That’s the main goal of that PEP, and so I’d be curious about your thoughts on the current draft and whether it’d suite your expected use case.
Some previous discussion about this is here as well: https://discuss.python.org/t/towards-a-pip-audit-subcommand-for-vulnerability-analysis-management/17681