Proposal for a new check: project’s mean time to update (MTTU) — what is the average number of days it takes a project to update to a new version of a dependency?

The recent Sonatype State of the Supply Chain report states that 6 out of 7 vulnerabilities are transitive. The report says that “Two critical factors for reducing the risk of transitive vulnerabilities are minimizing the total number of dependencies and maintaining low update times.”

The MTTU check would give consumers an easy way to judge the risk of transitive vulnerabilities in their dependencies.

Potentially it could be combined with a check that uses deps.dev data to also give the total number of dependencies a project uses.