fix: npm run audit also on patched packages

[tommasini]

What's the problem this PR addresses?

This PR was created by me and @Gudahtt; without him, this PR would never have existed. 👏

yarn npm audit was not auditing packages that sit behind the patch: protocol (or any protocol that uses resolution dependencies). It only considered locators with an npm: reference, so patched (and similar) packages were skipped and their underlying npm package was never sent to the audit.
That created a gap: vulnerabilities in patched packages were not reported.

How did you fix it?

• Use the resolver’s resolution dependencies: For each descriptor, we call resolver.getResolutionDependencies(). When that returns entries, we recurse by calling processDescriptor(parent, resolutionDependencyDescriptor) for each, so we follow the real source (e.g. the npm package behind a patch) instead of hardcoding protocols.

• Devirtualize before resolving: We run structUtils.ensureDevirtualizedDescriptor(descriptor) before calling into the resolver, so we never call getResolutionDependencies on a virtual descriptor.

• Graceful fallback: If the descriptor has no resolution dependencies, we keep the current behavior: we treat the resolved package as the one to audit and continue the tree walk as before.

• One place for recursive traversal: We no longer return early in the “has resolution dependencies” branch. Both that branch and the normal branch fall through to a single if (recursive) { … queue pkg.dependencies } at the end, so recursive traversal is shared and the full dependency tree is still audited.

Checklist

• I have read the Contributing Guide.

• I have set the packages that need to be released for my changes to be effective.

• I will check that all automated PR checks pass before the PR gets reviewed.

[arcanis]

Thanks for looking into that - can you also add a test?