feat: add lockfile parser framework for npm, python, and maven

[DevonL]

📄 Summary

adds lockfile parser framework for npm, python, and maven

🔍 Related Issues

Link to any related GitHub issues (e.g., Fixes #12, Closes #34):

🧪 Type of Change

Please check the relevant type tag for this PR title:

• [FIX] Bug fix
• [NEW] New thing
• [REFACTOR] Internal changes such as code restructuring or optimization that does not alter functionality
• [DOC] Documentation-only changes
• [CHORE] Maintenance, cleanup, or CI configuration

🧪 How Has This Been Tested?

Describe how you tested your changes. Include CI runs, local tests, manual verification, or screenshots if applicable.

📸 Screenshots (if applicable)

If UI or logs are affected, include before/after screenshots or output.

✅ Checklist

• I’ve read and followed the CONTRIBUTING.md.
• I’ve added or updated documentation as needed.
• I’ve verified the change is tested and works as intended.
• CI/CD checks pass and do not break existing functionality.
• My code follows the style guidelines of this project.

[Copilot]

Pull request overview

This PR introduces a comprehensive lockfile parser framework supporting npm, Python, and Maven ecosystems. It extracts and refactors dependency parsing logic into a modular system with shared utilities for file access, path validation, and manifest parsing across different package managers.

Changes:

• Added shared utility functions for secure file access, path validation, and dependency tree building
• Created ecosystem-specific lockfile parsers for npm (package-lock.json, yarn.lock, pnpm-lock.yaml), Python (poetry.lock, uv.lock, Pipfile.lock, requirements.txt), and Maven
• Added manifest parsing helpers supporting 10+ package manager formats (npm, Python, Maven, Cargo, Ruby, Go, Dart, Composer, Helm, Swift, Elixir, .NET)
• Refactored ManifestParser to use the new shared utilities and delegate pyproject.toml parsing
• Added comprehensive test suites for all three new parsers with fixture files

Reviewed changes

Copilot reviewed 16 out of 22 changed files in this pull request and generated 2 comments.

Show a summary per file

File	Description
util/packageNameNormalizer.js	New utility for normalizing package names across ecosystems with format mapping and Docker image handling
util/manifestParser.js	Updated to use shared utilities and delegate pyproject parsing to manifestHelpers
util/lockfileParsers/shared.js	New shared utilities for secure workspace-bound file operations and dependency tree building
util/lockfileParsers/pythonParser.js	New parser for Python lockfiles with support for multiple lock formats
util/lockfileParsers/npmParser.js	New parser for npm lockfiles supporting package-lock.json, yarn.lock, and pnpm-lock.yaml
util/lockfileParsers/mavenParser.js	New parser for Maven with pom.xml manifest and dependency-tree.txt lockfile support
util/lockfileParsers/manifestHelpers.js	New helpers for parsing manifests across 10+ package managers
test/lockfileParsers/	New comprehensive test suites for all three parsers
test/helpers/fixtureWorkspace.js	New test utilities for creating temporary workspaces

Files not reviewed (2)

• test/fixtures/npm/package-lock.json: Language not supported
• test/fixtures/npm/pnpm-lock.yaml: Language not supported

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[DevonL]

Closing this PR because the initial split/stacking strategy was incorrect and produced oversized, overlapping diffs.

A clean stacked PR set will be reopened from the original feature branch.