feat: add package registry and maintainability check (#1400)

[RuchitAgrawal]

Summary

Adds a new check mcn_registry_maintainability_1 that validates whether a package exists on its public registry and is actively maintained.

Description of changes

The check uses three signals when available:

• Registry presence and release recency: Uses the existing find_publish_timestamp() to confirm the package exists and check how many days have passed since the last release. Exceeding the threshold fails the check.
• Deprecated/yanked status: Reads the yanked flag for PyPI packages and the deprecated field for npm packages from existing registry JSON responses. A yanked or deprecated package always fails, regardless of release age.
• GitHub repository signals: If the source repo is on GitHub, calls the existing get_repo_data() to check if the repo is archived and how recently code was pushed. An archived repo always fails.

Results include remediation guidance and links to the registry page and source repository. The inactivity threshold is configurable via defaults.ini under registry_maintainability (default: 365 days).

Related issues

Closes #1400

Checklist

• I have reviewed the contribution guide.
• My PR title and commits follow the Conventional Commits convention.
• My commits include the "Signed-off-by" line.
• I have signed my commits following the instructions provided by GitHub. Note that we run GitHub's commit verification tool to check the commit signatures. A green verified label should appear next to all of your commits on GitHub.
• I have updated the relevant documentation, if applicable.
• I have tested my changes and verified they work as expected.

[behnazh-w]

@RuchitAgrawal Thanks for the PR! Could you suggest a few packages that would fail this check? That would help us identify good candidates to include in integration tests.

[behnazh-w]

@RuchitAgrawal Looks like the integration tests are failing. You can search for "case failed" in the log to see which test is failing.

[RuchitAgrawal]

Thanks for the PR! Could you suggest a few packages that would fail this check? That would help us identify good candidates to include in integration tests.

@behnazh-w ,Here are a few packages that would fail across the check evaluation:

• pkg:pypi/aiohttp@3.9.3 — yanked due to a security vulnerability
  Stale release (last release older than the default 365-day threshold):

• pkg:pypi/arrow@0.15.0 — released May 2019, ~7 years old

• pkg:pypi/boto@2.49.0 — released April 2018, the original boto library superseded by boto3

• pkg:npm/request@2.88.2 — officially deprecated in 2020

[RuchitAgrawal]

@RuchitAgrawal Looks like the integration tests are failing. You can search for "case failed" in the log to see which test is failing.

Found the issue and pushed a fix.