Security request: onboard to scorecard.dev to highlight existing vulnerabilities in the dependency chain.

[RoyalOughtness]

https://scorecard.dev can help identify vulnerable packages in a project's dependencies, and other risky practices.

For example for sigstore, sigstore requires json-syntax (which is barely maintained), json-syntax requires locspan-derive (which is unmaintained), and locspan-derive requires proc-macro-error, which is dead and superceded by proc-macro-error2: rust-lang/docs.rs#2595