Allow marking a version as vulnerable

[tobias]

If we have a release of an artifact that is vulnerable, we may need to remove it from the repo. If we do that, we want to leave the version page in place, but have that page link to a security advisory and the version where the vulnerability is addressed. We would want to remove those versions from the search index and from generated feeds.

We should also modify the fastly config to return a 410 response, with the status message linking to the version page on clojars.

This work would also be useful as a start on better support for deprecated projects #284

[vemv]

As a hopefully useful observation, a pretty sizeable chunk of Clojure projects (especially those with Java deps) are vulnerable according to https://github.com/jeremylong/DependencyCheck (available via nvd-clojure and others).

So, technically speaking a lot of projects are vulnerable which might not exactly warrant removing them.

So surely the threshold for "vulnerable" would be something like:

This dependency includes (directly or transitively) malware.