How to flag unmaintained, deprecated, or unsound?

[kornelski]

The docs have no guidance on how to flag dependencies as needing fixes/replacement, but not stop-the-release urgently. A violation with any of the built-in criteria would be too disruptive.

How to flag low-severity vulnerabilities or unsoundness?

I'm not sure how to name custom criteria for use with with violation. They're negated, so an unmaintained crate would be a violation and maintained criteria?

Maybe cargo-vet could have a dedicated support for warnings?

[bholley]

There's some discussion related to this in #446.