Cargo uses "package" in Cargo.lock, so there is wisdom to using "package"
instead of "crate_name"
This reverts commit 986c090c06, reversing
changes made to 9556f0fdee.
The correct name for a Rust package is a "crate", so something with "crate" is
less ambiguous than "package".
However, "crate" itself is a Rust keyword. To avoid clashes in Rust code which
uses this same attribute name, "crate_name" can be used instead unambigously.
Taking a cue from RubySec, this splits the original "versions" attribute into
separate ones for versions which were never vulnerable, and ones which include
an explicit fix for a vulnerability.
This is using the TOML format described in the (presently open) initial RustSec
RFC for security advisories described here:
https://github.com/RustSec/rfcs/pull/1
