An early version of the known vulns audit used OSV, but I switched to the GHSA API because the former doesn't include version range queries. This results in a GitHub API token dependency, which is not ideal.

Opening this so I don't forget per @alex.