fix(releases): Normalize both release values to equal one another

[cmanallen]

Normalize resolve-in-next-release release values between activity data and group resolution params. Also, fetches the latest semver release scoped to the packages present on the group.

Previously when resolving in the next semver release the release stored on the group resolution was the most recent time-ordered release. This PR changes that so we're setting the latest semver release as the release value.

But some projects can have multiple packages. Either old packages no longer in use or concurrent packages with their own ordering characteristics. By filtering by the package we force the group resolution to only consider releases relevant to the problem being solved.

[semgrep-code-getsentry]

High severity vulnerability may affect your project—review required:
Line 161 lists a dependency (django) with a known High severity vulnerability.

ℹ️ Why this matters

Affected versions of django are vulnerable to Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'). SQL injection in Django's ORM column aliases: when using QuerySet.annotate(), QuerySet.alias(), QuerySet.aggregate(), or QuerySet.extra() with dictionary expansion (**kwargs), the dictionary keys are used unescaped as SQL column aliases. On MySQL and MariaDB backends, an attacker who can influence those keys (for example, by passing a crafted dict of annotations) can inject arbitrary SQL into the generated query.

References: GHSA, CVE

To resolve this comment:
Check if you are using Django with MySQL or MariaDB.

• If you're affected, upgrade this dependency to at least version 5.2.7 at uv.lock.
• If you're not affected, comment /fp we don't use this [condition]

💬 Ignore this finding

To ignore this, reply with:

• /fp <comment> for false positive
• /ar <comment> for acceptable risk
• /other <comment> for all other reasons

_{You can view more details on this finding in the Semgrep AppSec Platform here.}

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ All tests successful. No failed tests found.

Additional details and impacted files

@@             Coverage Diff              @@
##           master   #101184       +/-   ##
============================================
+ Coverage   66.36%    81.09%   +14.73%     
============================================
  Files        8661      8670        +9     
  Lines      384271    384602      +331     
  Branches    24275     24275               
============================================
+ Hits       255020    311902    +56882     
+ Misses     128904     72353    -56551     
  Partials      347       347               

[semgrep-code-getsentry]

High severity vulnerability may affect your project—review required:
Line 172 lists a dependency (django) with a known High severity vulnerability.

ℹ️ Why this matters

Affected versions of django are vulnerable to Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'). SQL injection in Django's ORM column aliases: when using QuerySet.annotate(), QuerySet.alias(), QuerySet.aggregate(), or QuerySet.extra() with dictionary expansion (**kwargs), the dictionary keys are used unescaped as SQL column aliases. On MySQL and MariaDB backends, an attacker who can influence those keys (for example, by passing a crafted dict of annotations) can inject arbitrary SQL into the generated query.

References: GHSA, CVE

To resolve this comment:
Check if you are using Django with MySQL or MariaDB.

• If you're affected, upgrade this dependency to at least version 5.2.7 at uv.lock.
• If you're not affected, comment /fp we don't use this [condition]

💬 Ignore this finding

To ignore this, reply with:

• /fp <comment> for false positive
• /ar <comment> for acceptable risk
• /other <comment> for all other reasons

_{You can view more details on this finding in the Semgrep AppSec Platform here.}