Write information about package resolution to a file (`.dart_tool/pub/resolution_findings.json`?) for better IDE integration

[DanTup]

I'm raising this based on discussions in Dart-Code/Dart-Code#4256 about surfacing more info from Pub and the resolution results in IDEs.

@sigurdm wrote:

Thinking about this now, we could perhaps surface security advisories the same way as analyzer warnings. The "outdated" ones should probably be more subtle.

Always having pub output a timestamped .dart_tool/pub/resolution_findings.json sounds like a promising direction. It could contain findings from the last resolution, together with severities and locations in pubspec.yaml.

If this information was written on a JSON file, the analysis server could read it and (depending on user preferences in analysis_options.yaml) could produce diagnostics (warnings/errors/info) attached to the dependencies in pubspec.yaml (or in the case of transitive dependencies, pubspec.lock?).

[sigurdm]

@bwilkerson do you have preferences of how this could look?

I imagine something like:

{
  "findings": [
    {
      "file": "pubspec.yaml",
      "offset": 27,
      "length": 15,
      "severity": "info",
      "message": "Newer version available",
      "suggestion": "Run `pub upgrade foo`" 
    }
  ]
}

[DanTup]

"suggestion": "Run pub upgrade foo"

It might be good if we could structure this in a way that the server can provide it as a Code Action rather than requiring the user do it, for example:

action: {
  title: "Run 'pub upgrade foo'",
  command: "pub",
  args: ["upgrade", "foo"]
}

Or if we don't want to support arbitrary commands we could define some well-known commands for server:

action: {
  title: "Run 'pub upgrade foo'",
  command: "dart.pub.upgrade", // this could be something defined by server, similar to (or the same as) LSP commands
  args: ["foo"]
}