Add repository-level vulnerability summary to vulnerabilities command

[colinmoynes]

This pull request introduces improvements to the vulnerability command. It adds a repository-level vulnerability summary capability, allowing users to aggregate and filter vulnerability data across all packages in a repository.

Type of Change

• Bug fix
• New feature
• Breaking change
• Documentation update
• Refactoring
• Other (please describe)

Additional Notes

[Copilot]

Pull request overview

This PR expands the CLI’s vulnerability reporting to support repository-level aggregation, and also introduces download-command enhancements (filename filtering and multi-package downloads), along with associated version/dependency bumps.

Changes:

• Add cloudsmith vulnerabilities OWNER/REPO mode to aggregate vulnerability counts across all packages in a repository (with filtering and JSON output).
• Enhance cloudsmith download with --filename filtering (including glob patterns) and --download-all, plus improved multi-match display.
• Bump CLI version metadata to 1.16.0 and update cloudsmith-api dependency to 2.0.25.

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 6 comments.

Show a summary per file

File	Description
cloudsmith_cli/cli/commands/vulnerabilities.py	Adds repo-level summary mode, aggregation/filtering, and rich table output.
cloudsmith_cli/core/api/vulnerabilities.py	Updates summary table rendering and adjusts scan identifier handling.
cloudsmith_cli/cli/validators.py	Adds validator to accept OWNER/REPO[/SLUG_PERM] for vulnerabilities command arg.
cloudsmith_cli/core/download.py	Adds filename filtering (server/client side) and refactors multi-match output via rich table; adds resolve-all helper.
cloudsmith_cli/cli/commands/download.py	Adds --filename and --download-all, refactors download flow, and adds safe path joining.
cloudsmith_cli/core/tests/test_download.py	Adds unit tests for filename filtering, resolve-all behavior, and multi-match display.
cloudsmith_cli/cli/tests/commands/test_download.py	Adds integration-style CLI tests for new download flags/behavior.
cloudsmith_cli/cli/commands/upstream.py	Adds alpine to supported upstream formats list.
README.md	Documents new download flags (--filename, --download-all).
CHANGELOG.md	Adds entries for new features/releases (but currently with duplicated 1.14.0 sections).
setup.py / requirements.txt	Bumps cloudsmith-api dependency from 2.0.24 to 2.0.25.
cloudsmith_cli/data/VERSION / .bumpversion.cfg	Bumps version to 1.16.0.

Comments suppressed due to low confidence (2)

CHANGELOG.md:60

• The changelog now contains two separate ## [1.14.0] sections (with different dates), which makes it ambiguous which entry is authoritative. Consider consolidating these into a single 1.14.0 section (or correcting the version/date as appropriate).

## [1.14.0] - 2026-03-11

### Added

- Added `vulnerabilities` command to retrieve security scan results for a package
  - Summary View (Default): Displays a high-level count of vulnerabilities broken down by severity (Critical, High, Medium, Low, Unknown).
  - Assessment View `--show-assessment` (`-A`): Provides a detailed breakdown where vulnerabilities are:
    - Grouped by the specific affected upstream package / dependency.
    - Sorted by severity (Critical first).
    - Richly formatted tables.
  - Filtering Capabilities:
    - By Severity: `--severity` Show only specific levels (e.g., just Critical and High).
    - By Status: `--fixable | --non-fixable` Filter to show only "Fixable" vulnerabilities (where a patch exists) or "Non-Fixable" ones.
  - Supports `--output-format json | pretty_json` for programmatic usage

## [1.14.0] - 2026-03-13

### Added

- Added `vulnerabilities` command to retrieve security scan results for a package
  - Summary View (Default): Displays a high-level count of vulnerabilities broken down by severity (Critical, High, Medium, Low, Unknown).
  - Assessment View `--show-assessment` (`-A`): Provides a detailed breakdown where vulnerabilities are:
    - Grouped by the specific affected upstream package / dependency.
    - Sorted by severity (Critical first).
    - Richly formatted tables.
  - Filtering Capabilities:

CHANGELOG.md:23

• cloudsmith_cli/data/VERSION and .bumpversion.cfg are bumped to 1.16.0, but the new vulnerability summary entry is still under [Unreleased] rather than the 1.16.0 release section. If this change is part of 1.16.0, consider moving it into the ## [1.16.0] section; otherwise consider not bumping the version yet.

## [Unreleased]

### Added

- Added repository-level vulnerability summary (`cloudsmith vulnerabilities OWNER/REPO`)
  - Aggregates scan results across all packages into a single color-coded table
  - Packages sorted by total vulnerability count (descending)
  - Packages without scan results are silently omitted
  - Supports `--severity` and `--fixable/--non-fixable` filters

## [1.16.0] - 2026-03-24

### Added

- Added Alpine Upstream support for managing upstream configurations.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[colinmoynes]

Engineering was rejected in favor of API enhancements.