add a badge for known vulnerabilities

[aviadatsnyk]

Disclaimer: I am a snyk employee. Disclaimer: I am a user of this repository. Seeing all these badges on the top of the readme, I find I'd also like to know the latest version is free of known vulnerabilities, which is what this badge is all about.

[dougwilson]

Hi @aviadatsnyk thanks for the suggestion! Our badges are a fixed set, as specified in https://github.com/expressjs/express/blob/master/Readme-Guide.md#top-level-items to make our READMEs uniform. We can certainly consider adding a new badge, but would need to discuss this first, so opening a PR is probably premature. I would suggest opening an issue in https://github.com/expressjs/discussions/issues to bring up the discussion.

The main evaluation points we have used for badges in the past are the following:

1. Does the badge inform the user of something important?
2. Is the badge only updated with a direct response to a contributor action (i.e. pushing to the repo)?
3. If the badge changes on it's own, does the underlying service provide a minimum of 24 hours notice prior to altering the badge state such that the contributors can take action?

[aviadatsnyk]

Hi @dougwilson - thank you for the detailed comment.

I'll take it to discussions.

[aviadatsnyk]

moved to https://github.com/expressjs/discussions/issues/57