Better mechanism to respond to security advisories and warn users

[hasufell]

Related: haskell/security-advisories#129

Right now, GHCup has a mechanism of:

• printing custom post-install messages
• printing update warnings on startup (but only for the latest, not the recommend channel, unfortunately)

These can somewhat be used to inform users, but it might probably be worthwhile to add explicit support for security advisories.

We could either:

• check on startup (just like update warnings), or...
• make it part of the long planned healthcheck command: Create 'ghcup healthcheck' command #701
• or make a separate audit subcommand

My idea would be to encode the CVE information into the metadata, not parse or download the actual Haskell HSECs.

@TristanCacqueray @frasertweedale @blackheaven @mihaimaruseac

[blackheaven]

It sounds reasonable, I guess that the first step would be to merge security-advisories to ghcup-metadata, right?

[frasertweedale]

If you don't want the ghcup client to parse the advisories but instead consume curated data in the metadata files, there should ideally be some automation to detect the advisories of interest and add them to the ghcup-metadata. Right now you can access the "raw" advisories in our main branch, or the OSV data in the osv-export branch. If you need something more or something different, please let the SRT know.