fix: patched version display for advisories with non-strict semver ranges (e.g. Maven beta versions)

[tspascoal]

When showing patched versions in the vulnerability summary, advisories with version ranges containing non-strict semver components — such as Maven's >= 2.0-beta9, < 2.25.3 — would display "N/A" instead of the correct patched version. This happened because semver.validRange() rejects range bounds like 2.0-beta9 (missing the patch segment, e.g. 2.0.0-beta9), causing the versionInRange function to fail range validation and fall through to its fail-open default of no match. The fix adds a coercion step in fail-open mode that rewrites invalid version components within the range string to their nearest valid semver equivalents (e.g. 2.0-beta9 → 2.0.0) before retrying validation, allowing the patched version lookup to succeed without affecting the fail-closed vulnerability detection path.

Adds test case for maven and another for golang for extra coverage

Improvements to version range handling:

• Enhanced the versionInRange function in src/summary.ts to attempt coercion of invalid version components within the range string for "fail-open" mode, improving support for non-strict semver formats (e.g., converting 2.0-beta9 to 2.0.0-beta9) and increasing compatibility with real-world advisories.
• Refactored validation logic in versionInRange to use a mutable validRange variable, preparing for additional range coercion logic.

Expanded test coverage for vulnerability summary logic:

• Added a test for handling a Maven package advisory (GHSA-vc5p-v9hr-52mj) with a complex version range, ensuring the summary correctly identifies the patched version.
• Added a test for a Go package advisory (GHSA-r9w3-57w2-gch2) with a pseudo-version range, verifying correct patched version reporting and API usage.

Closes #1075

[Copilot]

Pull request overview

Fixes patched-version display in the vulnerability summary when advisories use non-strict semver ranges (notably Maven-style bounds like 2.0-beta9), by adding a fail-open range coercion path in versionInRange() and expanding regression coverage in summary tests.

Changes:

• Add fail-open coercion of invalid version components inside semver range strings to improve patched-version matching.
• Refactor versionInRange() range validation to allow retry after coercion.
• Add regression tests covering a Maven non-strict range advisory and a Go pseudo-version-style advisory.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.

File	Description
src/summary.ts	Adds fail-open range-string coercion when semver.validRange() rejects real-world advisory bounds.
__tests__/summary.test.ts	Adds regression tests ensuring patched versions are shown (not N/A) for Maven/non-strict ranges and a Go pseudo-version scenario.