feat: add antv-block incident block list for 317 packages (#291)

## Summary

Adds `config["bug-versions"]` entries for the **antv-block supply-chain
incident of 2026-05-19**, in which 637 versions across 317 packages were
published — each minor/patch-bumped above the package's last stable
release, in two batches within ~30 minutes.

Every blocked version redirects to the **last clean release**:

- normally the package's dist-tag `latest` (npm kept that tag intact for
all but one package);
- where `latest` itself was compromised — only `uri-parse`, whose
`latest` pointed at the malicious `1.2.0` — the newest clean **stable**
version is used instead (`uri-parse` → `1.0.0`).

## Stats

- **317 packages / 637 versions** added
- diff: `package.json` only, `+3182` lines, no deletions
- `node --test` passes

## Excluded — needs manual review

- **`@antv/g6-lite`** — its only published version (`0.1.0-beta.1`) is
itself the suspect one, so there is no clean version to redirect to.
Left out of this PR; should be handled via package takedown instead.

## Relation to #290

This supersedes #290, which covered 269 of the 318 source packages and
omitted 49 — including `uri-parse`, whose naive "default to latest"
target would have pointed straight back at the malicious version.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: killagu