Scan package-lock files #14
Description
We could add functionality to also scan package-lock.json (and similar lock files from other runtimes, like pnpm).
When doing this, we could warn that you have a dependency which deeply depends on a target module.
Some basic requirements:
- Off or warn-level by default (since there's no action we can do to resolve it)
- Support pnpm
- Support node
- Support yarn
- Behaves the same way as normal
package.jsonscanning but with a more lenient warning since it may not be actionable