GitHub - expose Dependabot alerts in the workbench

[lszomoru]

I have looked at the Dependabot REST/GraphQL APIs and from the looks of it, the dependabot contains information about a vulnerable package, the manifest file in which the package is listed but it does not contain information about the location where the package is listed. This means that we cannot reliably create diagnostic information to display in the workbench. Our hypothesis has been confirmed when testing the GitHub Advanced Security extension that provides similar functionality. The extension displays diagnostic information based on a text search in the file rather than explicit locations.

I think that this effort should be on-hold until GitHub provides better API. //cc @joaomoreno