Audit unpublished audit-as-crates-io crates as a published version

[mystor]

This is done by adding a new unpublished table to the imports.lock file, which will enumerate the mappings from local versions to published versions in use by the audit. These are treated like special delta audits when resolving, allowing the audit to pass.

Like other import types, these will be cleaned up when they are no longer necessary by cargo vet prune, though a new regenerate subcommand, cargo vet regenerate unpublished, will allow removing them even if they're still necessary.

In addition, if a smaller delta is available due to a new published version with an audit, cargo vet prune will also reduce that delta, to try to ensure that the audited version is as close as possible to the version in-tree.

When running cargo vet suggest, audits allowing the removal of outdated unpublished entries will be suggested, much like how audits are suggested to remove exemptions. Unpublished versions will never be suggested as an audit source or destination.

If the version becomes published, a warning will recommend running cargo vet regenerate unpublished to clean up the unpublished entry.

Fixes #495