refactor: restructure download command into 4-step architecture, fix SKIPPED status, and extract shared helpers

Author: opswithranjan

CHANGELOG.md

@@ -9,7 +9,7 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 ## [Unreleased]
 
 
-## [1.14.0] - 2026-03-09
+## [1.15.0] - 2026-03-13
 
 ### Added
 
@@ -19,6 +19,20 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 - Added `--download-all` flag to `download` command to download all matching packages instead of erroring on multiple matches
 - Multiple packages table now includes a Filename column for easier disambiguation
 
+## [1.14.0] - 2026-03-11
+
+### Added
+
+- Added `vulnerabilities` command to retrieve security scan results for a package
+  - Summary View (Default): Displays a high-level count of vulnerabilities broken down by severity (Critical, High, Medium, Low, Unknown).
+  - Assessment View `--show-assessment` (`-A`): Provides a detailed breakdown where vulnerabilities are:
+    - Grouped by the specific affected upstream package / dependency.
+    - Sorted by severity (Critical first).
+    - Richly formatted tables.
+  - Filtering Capabilities:
+    - By Severity: `--severity` Show only specific levels (e.g., just Critical and High).
+    - By Status: `--fixable | --non-fixable` Filter to show only "Fixable" vulnerabilities (where a patch exists) or "Non-Fixable" ones.
+  - Supports `--output-format json | pretty_json` for programmatic usage
 
 ## [1.13.0] - 2026-02-16