More efficient dependent tracking

[Rexios80]

Don't track transitive dependents

Right now we're using metrics.scorecard.panaReport.allDependencies to get package dependencies, but that includes transitive dependencies. Should we instead fetch a pubspec for each package and use pubspec.allDependencies which does not include transitive?

Pros:

• Less database storage
• Less container memory usage when processing package data

Cons:

• Requires an extra API call per package
• Do developers care about transitive dependents?

Don't track dependents for packages from Google-owned publishers

These packages have an exceptionally high number of dependents, and a significant amount are added every scan. There are so many dependents for these packages that I can't imagine anyone would care if they are tracked or not.

Pros:

• Less database storage

Cons:

• Google engineers might want this data?

[Rexios80]

Only implement these changes if database storage or container resource usage become an issue

Will need to prune the database for this:

• Remove all dependent data and history for Google-owned packages
• Remove all dependent data and history for transitive dependents (the history part might be tricky)

[Rexios80]

Also not tracking dependents for unlisted/discontinued packages at all would be a good idea

[Rexios80]

Transitive dependents are no longer tracked

[Rexios80]

Closing for now. WIll reopen if storage becomes an issue.