Here is a project called pipctl which uses OSV’s vulnerabilities to constrain which packages can be installed. The main aim of the tool is to control the resolution process, hence the name. It was discussed here, but pip maintainers were not open to having such functionality. I can imagine the tool being extended and provide SourceRank or other information to resolve application dependencies (such as whether the given package is signed, quality aspects, …).