Add expiration time for allow list items

[villesau]

In many cases there's not much that you can do for the vulnerability at the time it is alerted. However, maybe the fix is being worked on but not released. For this purpose it would make sense to have expiry times for ignored vulnerabilities so that the developer remembers to check it again after a while. For the reference, better-npm-audit support such functionality via expiry field: https://github.com/jeemok/better-npm-audit#using-nsprc-file-to-manage-exceptions

[Undistraction]

This would also be useful in cases where a policy dictates different time windows for different levels of advisory (e.g. 7 days for low vulnerabilities, 24 hours for critical etc). Without this addition, the only option is to either immediately action the fix, or to add the advisory to the ignored list, where it can easily be forgotten.