VersionReq ranges do not include prerelease versions

[mystor]

The type which we use for describing violations, VersionReq, comes from semver and is used for declaring dependencies. Because of this intended purpose, a VersionReq will never match a pre-release version of a crate (e.g. 1.0.0-pre1), unless it is fully specified (see the docs in the semver crate). This might be unexpected behaviour, as it makes it very difficult to add a violation which also matches pre-release versions of a crate. In addition, in #80 I am also considering using this mechanism to specify excluded upstream audits, where this behaviour would make it difficult to bulk-exclude imports of audits for pre-release versions.

I think the expected behaviour here might be to have an pattern like >=1.0, <2.0 also match the prerelease versions in that range like 1.5.0-pre1, which will require changes to how at least evaluation of VersionReq is performed. We would need to have our own version fo the semver matching logic which handles prerelease patches so it could be possible for us to re-use the existing parser and write our own matcher using the same syntax if we wanted to.

Whatever decision we end up going with here, it's probably worth writing some documentation about the matcher syntax in the book as well (https://mozilla.github.io/cargo-vet/audit-entries.html#violation), including adding notes about the pre-release caveat if we end up sticking with the existing semantics.

[bholley]

Agree that we want violation ranges to cover pre-release versions. Probably not super likely to come up in practice: violations, crates-io-published prerelease versions, and prerelease-compatible dependency specifiers are all likely rare, and the combination of the three of them is likely vanishingly rare. But we should fix it at some point.