[BUG] Patched version shows "N/A" for advisories with non-strict semver version ranges

[tspascoal]

Describe the bug

When show-patched-versions is enabled, the vulnerability summary displays "N/A" as the patched version for advisories whose vulnerable version ranges contain version identifiers that are not strict semver. For example, advisory GHSA-vc5p-v9hr-52mj for org.apache.logging.log4j:log4j-core specifies the range >= 2.0-beta9, < 2.25.3. The version 2.0-beta9 is missing the patch segment required by strict semver (2.0.0-beta9), so semver.validRange() rejects the entire range. This causes the patch version lookup to fail silently, showing "N/A" even though the API returned a valid patched version (2.25.3). This primarily affects Maven packages, which commonly use non-strict version formats like 2.0-beta9 or 2.0-rc1 in their advisory ranges.

To Reproduce
Steps to reproduce the behavior:

1. Create a PR to a pom.xml
2. make sure it includes log4j version 2.12.4 (this will trigger advisory GHSA-vc5p-v9hr-52mj)
3. Make sure the dependency review action has the parameter show-patched-version set to true
4. See that patched version column shows N/A

Expected behavior

patched version should show version 2.25.3

Screenshots

Action version

v4.9.0

Additional context
Add any other context about the problem here.

[ahpook]

@felickz could you please take a look at this as you've got the most context with the show-patched-versions option?