warn by default with optional hard failure
Where would this option be? Something like #[deny(security_advisories)] or within Cargo.toml? Or just as a CLI option? I suspect that the former isn't doable since that sort of metadata is not available anymore at compile time.
store a DWF ID for each vuln. Obtaining one automatically if one isn't passed in explicitly is gravy.
Oh that makes sense, I'd vote for this too.
(TIL what gravy means in this context: optional)
Anybody else?