v0.2.1 — PEP 440-correct pre-release version comparison

A correctness patch for the CVE range matcher's version comparison.

Fixed

• PEP 440-correct pre-release version comparison. The CVE range matcher now uses a small, dependency-free pre-release-aware comparator (dev < alpha < beta < rc < final, with trailing-zero equivalence) in place of the previous tuple parser, so pre-release versions such as 1.0-beta sort correctly relative to their final release when evaluated against advisory ranges. Constraint parsing is tightened and every comparison site is None-safe — unparseable versions or constraints fail closed (treated as affected). The tool stays dependency-free (no packaging runtime dependency). Covered by tests/test_version_validation.py.
• The test_installed_old_version_is_treated_as_incoming test no longer reads the live Homebrew openssl@3 release date, so it stops failing for ~3 days after every openssl@3 bump.

Install / upgrade

• Tap users: brew update && brew upgrade safe-upgrade
• Script install: brew safe-update

Full changelog: v0.2.0...v0.2.1