Security: dependency confusion check

[pawamoy]

Add a duty that reads dependencies from pdm.lock and yields instance of a Dependency class which has an is_internal method that the user can override to implement their own logic (like checking if its name is in a set, or if it matches a regular expression). Then for every internal dependency, the duty asserts that it is absent from a given PyPI index (overridable as well). This way we ensure an internal dependency has no public counter-part that could lead to dependency confusion. Of course if public indexes are not reachable, the duty would be disabled.

Still not sure about implementing this though, as it is only useful in private contexts (which I have no interest in supporting in an opensource project).