fix(guided remediation): handle extraneous/missing packages in package-lock.json more leniently

[michaelkedar]

Changes two things for package-lock.json parsing:

1. Made it so packages installed in unknown locations (e.g. under a non-existent package) are ignored (following npm's behaviour), instead of triggering a panic.
2. Made missing dependencies in the lockfile not cause an error. npm would typically raise an error here, unless the missing dependency under a workspace's dependency graph. I think it's ok if we're more lenient than npm here.

[codecov-commenter]

Codecov Report

Attention: Patch coverage is 70.42254% with 21 lines in your changes missing coverage. Please review.

Project coverage is 68.88%. Comparing base (9a303ec) to head (3344c6f).
Report is 5 commits behind head on main.

Files with missing lines	Patch %	Lines
internal/resolution/lockfile/npm_v2.go	66.66%	7 Missing and 3 partials ⚠️
internal/resolution/lockfile/npm_v1.go	70.00%	7 Missing and 2 partials ⚠️
internal/resolution/lockfile/npm.go	81.81%	1 Missing and 1 partial ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #1394      +/-   ##
==========================================
- Coverage   69.02%   68.88%   -0.14%     
==========================================
  Files         185      185              
  Lines       17869    17950      +81     
==========================================
+ Hits        12334    12365      +31     
- Misses       4876     4916      +40     
- Partials      659      669      +10     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

---

🚨 Try these New Features:

• Flaky Tests Detection - Detect and resolve failed and flaky tests

[oliverchang]

can you explain a bit more why we don't need DevDeps and OptionalDeps here anymore?

[michaelkedar]

Deps now also contains the dep.Type, which has whether it's optional or dev (or peer) in it.