[Experiment] First pass of npm support for the dependency submission workflow

[brrygrdn]

What are you trying to accomplish?

This branch follows up on our work to date on the enable_dependency_submission_poc experiment to incorporate the changes we require to lockfile parsing to npm's package-lock.json so that we can accurately graph a project using this file.

This incorporates the things that we are using to interpret a Dependabot parse for snapshots which are:

• Attributing a dependency list to each dependency file so we can orientate on a per-file basis to graph the right file rather than the dependency set which is often filtered for updater needs
• Setting which dependency files are considered the highest priority so we only graph those vs the whole set
• Attributing information about direct vs indirect, production vs development and direct descendants to the dependency data assigned to the file set

For npm, this has a slight wrinkle which is that we need to make a call out to npm ls to reliably determine the top-level dependencies for a project since only v3 lockfiles provide this information.

We could do this in a different way by comparing information across dependency files but that cuts against our idiom so far so I've avoid breaking/changing the pattern for now. I've limited this new native command to only runs with our experiment enabled to avoid side-effects.

Anything you want to highlight for special attention from reviewers?

Our approach is still on a 'make it work' basis to avoid making any assumptions about how we abstract a 'normal' parse from a 'verbose' parse for graphs.

Once we have a critical few package managers working, we will take a long look at our strategy and determine how to course correct before we fan out across all package managers.

Other changes

The first commit on this branch backfills a FileParser-level test for Bundler. We've been using Bundler to drive the updater/integration tests but it was useful to backfill a Bundler test at this level as a reference for the new work required for npm.

How will you know you've accomplished your goal?

I can generate a snapshot for a typical npm project that has all the same information a source-based parse provides.

Checklist

• I have run the complete test suite to ensure all tests and linters pass.
• I have thoroughly tested my code changes to ensure they work as expected, including adding additional tests for new functionality.
• I have written clear and descriptive commit messages.
• I have provided a detailed description of the changes in the pull request, including the problem it addresses, how it fixes the problem, and any relevant details about the implementation.
• I have ensured that the code is well-documented and easy to understand.