Add vulnerable option to dotnet list package

[drewgillies]

This is a cherry-pick of the commit from #13318 into release/5.0.2xx. Details copied below:

Added --vulnerable option to dotnet list package CLI. Also removed most of the "policing" around other option combinations:

• --include-prerelease, --highest-minor, and highest-patch are only supposed to be used in combination with the --outdated option, but they're just ignored by the NuGet Xplat CLI otherwise, and we'll do the same here.
• --config and --source are only supposed to be used in combination with --vulnerable, --outdated and --deprecated reports, but they're also just ignored by the NuGet Xplat CLI, so we'll ignore them here.
• --vulnerable, --outdated and --deprecated all must be used mutually exclusively, and combining them is nonsense--we throw in the NuGet Xplat CLI in this case, and we'll continue to throw here.

[ghost]

Hello @wli3!

Because this pull request has the Auto-Merge If Tests Pass label, I will be glad to assist with helping to merge this pull request once all check-in policies pass.

Do note that I've been instructed to only help merge pull requests of this repository that have been opened for at least 12 minutes, a condition that will be fulfilled in about 8 minutes. No worries though, I will be back when the time is right! 😉

p.s. you can customize the way I help with merging this pull request, such as holding this pull request until a specific person approves. Simply @mention me (@msftbot) and give me an instruction to get started! Learn more here.