Fix yarn lockfile with unknown resolvers

The yarn lockfile allows various different resolvers other than the
standard one which pulls from npm. Some of these include the filesystem
(@workspace), http/s (@http/s), and ssh (@ssh).

To ensure our parser is robust against all types of possible resolvers,
this patch checks for the presence of `@npm` to ensure that the
dependency can be resolved through npm. All other dependencies are
silently ignored.

This comes with the trade-off that it is easier for a failure to parse a
dependency, that can be resolved through npm, to be hidden from the
user, opening up the possibility for hidden vulnerabilities. It also
assumes that no package scope starts with `@npm`, otherwise the parser
might throw an error.

Closes #344.

cli/src/lockfiles/javascript.rs

@@ -94,8 +94,8 @@ impl Parseable for YarnLock {
                 .filter(|s| !s.is_empty())
                 .ok_or_else(|| "Failed to parse resolution field in yarn lock file".to_owned())?;
 
-            // Ignore workspace-local dependencies like project itself ("project@workspace:.").
-            if resolution[1..].contains("@workspace:") {
+            // Ignore workspace-local, or remote dependencies like "project@workspace:.".
+            if !resolution[1..].contains("@npm") {
                 continue;
             }
 

cli/tests/fixtures/yarn.lock

@@ -470,3 +470,10 @@ __metadata:
   checksum: ae0123222c6df65b437669d63dfa8c36cee20a504101b2fcd97b8bf76f91259c17f9f2b4d70a1e3c6bbcee7f51b28392833adb6b2770b23b01abec84e369660b
   languageName: node
   linkType: hard
+
+"ethereumjs-abi@git+https://github.com/ethereumjs/ethereumjs-abi.git":
+  version: 0.6.8
+  resolution: "ethereumjs-abi@https://github.com/ethereumjs/ethereumjs-abi.git#commit=ee3994657fa7a427238e6ba92a84d0b529bbcde0"
+  checksum: ae074be0bb012857ab5d3ae644d1163b908a48dd724b7d2567cfde309dc72222d460438f2411936a70dc949dc604ce1ef7118f7273bd525815579143c907e336
+  languageName: node
+  linkType: hard