warn or info for similar looking advisory URLs

[g-k]

refs: #2 nodesecurity.io redirect and mozilla/fxa-profile-server#353 and related discussion on #fxa on IRC (job https://travis-ci.org/mozilla/fxa-profile-server/jobs/457024645).

Exit codes and filter matching would be unchanged, but when similar looking URLs show up in the audit JSON output we write to stderr something like:

"found the url 'https://www.npmjs.com/advisories/598' on .nsmprc line X did you mean 'https://npmjs.com/advisories/598' to match line Y from the audit JSON output?"

and suggest that they check both URLs resolve to the same advisory.

We can define "similar looking URLs" to 1) contain the same advisory ID and 2) have one of more of the following be true:

• domain differs between nodesecurity.io and npmjs.com
• protocol differs between http and https (also probably want to warn for http)
• an optional www subdomain e.g. from npmjs.com/advisories/ and www.npmjs.com/advisories/

Unit tests would check that we make suggestions for:

• https://nodesecurity.io/advisories/598 and https://npmjs.com/advisories/598
• http://nodesecurity.io/advisories/598 vs https://nodesecurity.io/advisories/598
• https://npmjs.com/advisories/598 and https://www.npmjs.com/advisories/598

and no suggestion for other URLs.

[g-k]

There's an implicit question here of "why don't either consider URLs we know to be the same ID the same or try to resolve them to the matching URLs".

I'd like to avoid making network calls in this tool (i.e. keep analysis offline using the files and output we have) and keep the mental model for how it works simple.

I also don't want to include MITM, domain takeover / DNS hijacking / rebinding, random npm site misconfig (beyond whatever npm audit does) in the threat model for this tool.