Dependi-LSP Security Flaw: Unbounded OSV API Requests Risk Service Blocking

A critical resource management flaw in the Dependi-LSP language server risks triggering a denial-of-service condition against its own vulnerability-checking service. The issue resides in the `check_rustsec_unmaintained` function within the `osv.rs` module, which dispatches concurrent HTTP requests to the external OSV API for every RustSec advisory without any concurrency cap. For projects with numerous vulnerable dependencies, this can unleash a flood of simultaneous API calls, directly threatening the tool's core functionality.

The vulnerability, classified as CWE-770 (Allocation of Resources Without Limits or Throttling), creates a scenario where the OSV API could rate-limit or block the language server's requests. This would effectively cripple the server's ability to fetch and display security advisories to developers, leaving them without critical vulnerability intelligence during development. The affected code is isolated to `dependi-lsp/src/vulnerabilities/osv.rs`.

The proposed remediation is straightforward but essential: implement a concurrency limit on the parallel requests. Using Rust's `futures::stream::StreamExt::buffer_unordered` with a limit of 5 to 10 concurrent connections would throttle the request stream, preventing the server from overwhelming the external API and ensuring consistent service availability. Without this fix, the tool's reliability is contingent on the project's dependency graph size and the external API's tolerance, introducing an unpredictable point of failure.