As we start including 3rd party libraries into WMF code, we should have a way to regularly check that our deployed version includes any security fixes.
My initial thought is to have Jenkins use https://security.sensiolabs.org/api to check any composer.lock files that are included in our patches. Their database is open for anyone to contribute to and in the public domain: https://github.com/FriendsOfPHP/security-advisories
A simple job that runs the following will work:
curl -i -H "Accept: text/plain" https://security.sensiolabs.org/check_lock -F lock=@composer.lock -o sensiolabs.check cat sensiolabs.check && grep -F "X-Alerts: 0" sensiolabs.check
The job should run on patchset proposal, and once a day. Upon status change, an email notification should be sent to security@.