I think that having automated security advisory warnings from build tools is important for Haskell adoption in certain industries. This can be done based on build plans, but a package is really the wrong granularity - a large, widely-used package might export a little-used definition that is the subject of an advisory, and it would be good to warn only the users of said definition (cf base and readFloat).

Tristan is exploring using HIE files to do this check, but I don't know if you read Discourse, where he posted the question: https://discourse.haskell.org/t/rfc-using-hie-files-to-list-external-declarations-for-cabal-audit/7147 

Thanks!

David