Package and Version metadata

[andrew]

WIP of being able to record external metadata from registries for packages and versions, potential extra features:

1. Time-travel for outdated - The versions table has published_at. Could answer "what was outdated as of March 2024" or "how stale were we when we released v2.0"
2. SBOM export - CycloneDX or SPDX format using the purl and license data already collected
3. Freshness/staleness metrics - How many days behind latest are we on average? Which packages have been pinned longest?
4. Deprecation warnings - ecosyste.ms has deprecation info for some ecosystems
5. Maintenance health - ecosyste.ms provides data on last commit date, open issues, maintainer count that could feed into a health score
6. License drift detection - Flag when a package's license changed between versions (MIT→GPL surprises)
7. Funding info - Show which dependencies have/need funding (ecosyste.ms tracks this)
8. Integrity verification - The versions table has an integrity field ready for lockfile hash validation