I sent the below message to the help-gnu-emacs mailing list, but I wanted to also raise the same question on the emacs-devel list, as it's more related to potential feature improvements in emacs.
---------- Forwarded message ---------
From: Gulshan Singh <firstname.lastname@example.org>
Date: Tue, Jul 12, 2022 at 1:54 PM
Subject: Should package.el support notifying on package security updates?
I recently reported a security issue for a package on MELPA, where even
though I trusted the package author, if I used the package to process
untrusted data that data code be crafted in a way to execute arbitrary
code on my system. This led me to wonder if there was any mechanism for
package.el to distinguish between regular updates and security updates,
and I wasn't able to find any information on this.
Has there been any past discussion on this? As an example, on Ubuntu you
can see how many of the pending updates are security updates as opposed
to regular updates, and you can configure the system to auto-update just
the security updates. I feel like the package manager in emacs should
have something similar, but maybe I'm missing something about why this
functionality isn't included.