Add a uv-audit crate

[woodruffw]

Summary

Atop #18119. This should be merged into #18119's branch.

This adds a uv-audit crate, which provides some common types and a trait (VulnerabilityService) for interacting with vulnerability "services" (i.e. online APIs that provide vulnerability DB access).

Our MVP service is OSV; supporting PyPI's PYSEC responses through the same trait would be straightforward.

(This should also not increase our dependency footprint; I've only used crates that were already present in our top-level dependencies.)

Test Plan

I've added initial unit tests; I'm going to add more that use a mocked server to ensure we have good coverage of the pagination branches.

[woodruffw]

Note: marking as ready for review for functionality, but I'm going to add more tests before actually landing this on my feature branch 🙂

[konstin]

Mostly Rust and uv specific comments.

[woodruffw]

I'm not sure how to action these cargo shear errors:

shear/unused_dependency

  × unused dependency `reqwest`
    ╭─[crates/uv-audit/Cargo.toml:31:1]
 30 │ insta = { workspace = true }
 31 │ reqwest = { workspace = true }
    · ───┬───
    ·    ╰── not used in code
 32 │ serde_json = { workspace = true }
    ╰────
  help: remove this dependency

shear/unused_optional_dependency

  ⚠ unused optional dependency `clap`
    ╭─[crates/uv-install-wheel/Cargo.toml:33:1]
 32 │ 
 33 │ clap = { workspace = true, optional = true, features = ["derive"] }
    · ──┬─
    ·   ╰── not used in code
 34 │ configparser = { workspace = true }
    ╰────

Advice: 
  ☞ removing an optional dependency may be a breaking change

Advice: 
  ☞ used in feature `clap`
    ╭─[crates/uv-install-wheel/Cargo.toml:57:9]
 56 │ [features]
 57 │ clap = ["dep:clap", "uv-fs/clap"]
    ·         ─────┬────
    ·              ╰── enabled here
 58 │ schemars = ["dep:schemars", "uv-fs/schemars"]
    ╰────

shear/unused_optional_dependency

  ⚠ unused optional dependency `schemars`
    ╭─[crates/uv-install-wheel/Cargo.toml:44:1]
 43 │ rustc-hash = { workspace = true }
 44 │ schemars = { workspace = true, optional = true }
    · ────┬───
    ·     ╰── not used in code
 45 │ serde = { workspace = true, features = ["derive"] }
    ╰────

Advice: 
  ☞ removing an optional dependency may be a breaking change

Advice: 
  ☞ used in feature `schemars`
    ╭─[crates/uv-install-wheel/Cargo.toml:58:13]
 57 │ clap = ["dep:clap", "uv-fs/clap"]
 58 │ schemars = ["dep:schemars", "uv-fs/schemars"]
    ·             ───────┬──────
    ·                    ╰── enabled here
 59 │ 
    ╰────

shear/unused_workspace_dependency

  × unused workspace dependency `uv-audit`
    ╭─[Cargo.toml:19:1]
 18 │ [workspace.dependencies]
 19 │ uv-audit = { version = "0.1.0", path = "crates/uv-audit" }
    · ────┬───
    ·     ╰── not used by any workspace member
 20 │ uv-auth = { version = "0.0.24", path = "crates/uv-auth" }
    ╰────
  help: remove this dependency

shear/summary

  ✗ 2 errors
  ⚠ 2 warnings

Advice:
  ☞ run with `--fix` to fix 2 issues
  ☞ to suppress a dependency issue
   ╭─[Cargo.toml:2:12]
 1 │ [package.metadata.cargo-shear] # or [workspace.metadata.cargo-shear]
 2 │ ignored = ["crate-name"]
   ·            ──────┬─────
   ·                  ╰── add a crate name here
   ╰────
Error: Process completed with exit code 1.

The reqwest dev-dev is needed because cargo doesn't seem to select the right reqwest features without it (specifically, no TLS stack for Tower). And I'm not 100% sure why uv-install-wheel is popping up in this unrelated PR 🤔

[konstin]

The unrelated messages are only warnings, they don't actually error (#18165). For the reqwest feature, can you activate the rustls reqwest-middleware feature as a dev dependency? Otherwise you can use reqwest with no-default-features and the ssl features you need as a dev dependency and put it in the cargo shear ignores.

[woodruffw]

Okay, I think we're good to go now 🙂

[konstin]

I don't think we need a separate test for this

[woodruffw]

Happy to remove if you feel strongly, but IMO these kinds of serde backstops are nice to have: in this case #[serde(other)] is load-bearing (since it converts unknown variants into Other), and it's nice to have an explicit test in case we ever refactor that.

[konstin]

Is that change intentional?

[woodruffw]

Nope, this is editor churn. Can remove if you want.