Will there be any guidelines to how to do this in practise and in a fair way? I can imagine this will favor citations to newer packages or packages used for specific tasks, and not their dependencies (which could be hundreds) (would be a long bibliography!)
Somebody should be in Prague, talking about this at #PIDfest. I see there's an ORCID integration. Is auto-update implemented? That will be important because it's needed for trust markers.