Add VulnerabilityResult.published field

[orsinium]

Add a new field published into VulnerabilityResult dataclass. The field holds information about when the vulnerability was published. That information is not used in the CLI or anywhere else yet, only emitted (from both PyPA and OSV sources).

Motivation: in a follow-up PR, I'm going to introduce a new CLI flag for filtering out only advisories published in a specific time window. The motivation for that, in turn, is to be able to have multiple CI jobs in user projects, one that warns about new vulnerabilities and another that fails for all vulnerabilities that weren't resolved in time. But that's another story. For now, just hold that information but don't act on it :)

Also, I've switched pip_audit/_service/interface.py to the new style of type annotations. Since you use from __future__ import annotaions, you can use any style of type annotations in any Python versions, type checkers will understand it. I think datetime | None is easier to understand than Optional[datetime].

[woodruffw]

Some tiny nits, but LGTM overall! Thanks!

[woodruffw]

Thanks for adding this field! This will be a nice addition, when plumbed through the different output formats.

Motivation: in a follow-up PR, I'm going to introduce a new CLI flag for filtering out only advisories published in a specific time window.

Would you mind opening a discussion issue for this feature first? So far we've tried to limit the number of "filter-style" CLI options we provide, under the reasoning that users who want filtering should use --format=json (or another machine-readable format) and do filtering as a post-processing step.

[di]

LGTM aside from unresolved discussion

[woodruffw]

LGTM overall, we should probably clarify the OSV schema question but I'm okay with letting that float if you are @di 🙂

[woodruffw]

Thanks again @orsinium!