Release v0.2.7 — ecosystem-aware NVD matching, package-anchored output, CVE-named age bypass · sharkyger/homebrew-safe-upgrade

Security-precision and UX release closing all four open user reports — thanks @aleksandrs-ledovskis for the detailed issues.

Fixed

Same-named packages from other ecosystems no longer block a Homebrew formula (#74). NVD keyword search matches on text, so a formula could collide with an identically-named package from a language ecosystem — the canonical cmake was permanently blocked by an advisory for the long-dead npm cmake package. The scanner now reads the CPE 2.3 target_sw field and skips advisories whose every applicability statement is pinned to a different language ecosystem. Fail-closed bounds kept: one generic/matching applicability statement — or no CPE data at all — still flags. CPE relevance is also evaluated when no version is supplied; distro- and OS-scoped advisories are filtered on that path too.
oracle removed from the distro-vendor CPE filter. Oracle is also the upstream vendor of widely brewed software (MySQL, OpenJDK, VirtualBox), so its application CPEs are now evaluated like any other upstream vendor. Oracle Linux distro CPEs are OS-type and remain filtered.
Per-package output lines no longer print above the package they belong to (#73), in brew safe-upgrade and brew safe-install alike.

The age-check CVE bypass now names the CVEs it acted on (#72) — severity, CVSS score, and source for up to 5 findings print under the bypass line.

README documents where the standalone scanner lives per install route (#75): $(brew --prefix safe-upgrade)/libexec/ for tap installs, $(brew --prefix)/bin/ for script installs.

Tap (recommended): brew install sharkyger/tap/safe-upgrade — formula bump to v0.2.7 follows shortly; then brew update && brew upgrade safe-upgrade
Script: re-run install.sh (pinned to this tag, SHA256-verified) or brew safe-update

Full details in the CHANGELOG.