Typeshed bots to keep track of security?

[Akuli]

(Related to #90)

Maybe we should create bots that notify us when a typeshed pull request affects the dependencies of popular packages? If one of those dependencies gets hacked, many people and servers will install the malware, so changing those dependencies (sometimes in surprising indirect ways) should be seen as a red flag.

Some ideas:

• If a typeshed pull request affects which packages pip install types-requests pulls in, then a bot posts a comment saying that now types-requests indirectly depends on foo.
• If a typeshed pull requests causes pip install types-requests to pull in something it didn't pull in before, then a bot marks that PR with a label so maintainers will review it extra carefully.
• If a typeshed pull requests causes pip install types-requests to pull in something it didn't pull in before, then two typeshed maintainers need to approve the PR before it can be merged. (I haven't looked into ways to enforce this.)

I am following our "convention" of using types-requests as an example of a popular package, but the same would apply to other popular packages, basically anything with more than x weekly/monthly/yearly downloads.

[srittau]

Maybe an even easier solution would be that the bot (or CI trigger) would just flag any PR where a third-party METADATA file was changed. Although personally, unless it's a very big PR, I think I'd notice such changes.