fix(deps-maven): wrong latest version for packages with legacy non-semver versions (e.g. guava r09 vs 33.5.0-jre)

[bug-ops]

Bug Report

Component: deps-maven
Severity: P2

Description

Packages with legacy non-semver versions (e.g., guava with versions r03–r09) show a wrong "latest" version because:

1. parse_metadata_xml only parses <version> entries inside <versions>, ignoring the top-level <release> and <latest> fields.
2. compare_versions compares segments lexicographically when they can't be parsed as integers, so r09 compares as greater than 33 (r (114) > 3 (51)).
3. Result: r09 is sorted to the top and returned as "latest stable" — even though is_prerelease("r09") = false.

Evidence

Registry response: <release>33.5.0-jre</release> and <latest>33.5.0-jre</latest>.
Server returned: fetched package=com.google.guava:guava version=r09.
Inlay hint showed: ❌ r09 instead of ❌ 33.5.0-jre.

Fix

Parse the <release> element from maven-metadata.xml and return it directly as the latest stable version instead of sorting all versions and picking the first non-prerelease:

// In parse_metadata_xml, also capture <release> and <latest>
// Use <release> as the authoritative latest stable

Fallback to sort-based selection only when <release> is absent.