Extension candidate: git-pkgs-lsp. A Language Server Protocol server that provides dependency information inline in editors.

The roadmap describes hovering over require('lodash') and seeing version, vulnerabilities, license, who added it, and a link to package metadata. The data for all of this already exists across git-pkgs commands -- list for version, vulns for CVEs, licenses for license, blame for who added it, urls for registry links, outdated for available updates.

Capabilities to implement:

• Hover -- over a package name in any manifest or lockfile, show current version, latest available, license, known vulnerabilities, and who added it
• Diagnostics -- warn on vulnerable packages, deprecated packages, outdated versions, license violations. Severity levels map to existing command flags (--deny, --permissive, --copyleft)
• Code actions -- quick-fix to update a pinned version, link to vulnerability details, open registry page
• Code lenses -- inline vulnerability count or staleness per dependency

The server needs to know which files are manifests, which the manifests module already handles for 40+ formats. File-type detection drives which lines contain package references and how to parse them.

Complements #114 (MCP server) -- LSP for humans editing manifests, MCP for agents working programmatically. Both consume the same underlying data and would both benefit from #116 (read-only database package) for performance.