Support specifying version (ranges) on reviewed dependencies

[ericcornelissen]

Related to some other issues (#196, #418, #442) but I believe slightly different: my request is to allow for specifying versions (or version ranges) on reviewed dependencies such that licensed status errors if the version doesn't match.

I'm aware of the "license needs review" state (originating from #244). However, this requires that the Licensed cache is committed to VCS (which I'm trying to avoid because I believe it doesn't fit my use case). If I can specify a version on reviewed dependency, Licensed knows which version I reviewed so can tell me to re-review if the version changes.

Supporting version ranges as well could be seen as a quality of life feature, particularly given that I've seen it argued that license changes should be considered a breaking change (unfortunately I don't have a reference for that...).

I have two (non-mutually exclusive) suggestions for how to support this from the configuration side:

1. Add support for adding @x.y.z to the package name. If present, the version is compared against the actual version of the dependency. If not present, Licensed's behavior is unchanged.

2. Update the reviewed configuration format to something along the lines of:

   reviewed:
      npm:
        # for example
        - package: glob
          version: x.y.z
   
        # Or no version, same behavior as current
        - package: glob
   
        # Or, for backwards compatibility
        - glob