feat: expand lockfile resolver coverage across additional ecosystems

[DevonL]

📄 Summary

Split 2 expands lockfile resolver coverage across additional ecosystems

🔍 Related Issues

Link to any related GitHub issues (e.g., Fixes #12, Closes #34):

🧪 Type of Change

Please check the relevant type tag for this PR title:

• [FIX] Bug fix
• [NEW] New thing
• [REFACTOR] Internal changes such as code restructuring or optimization that does not alter functionality
• [DOC] Documentation-only changes
• [CHORE] Maintenance, cleanup, or CI configuration

🧪 How Has This Been Tested?

Describe how you tested your changes. Include CI runs, local tests, manual verification, or screenshots if applicable.

📸 Screenshots (if applicable)

If UI or logs are affected, include before/after screenshots or output.

✅ Checklist

• I’ve read and followed the CONTRIBUTING.md.
• I’ve added or updated documentation as needed.
• I’ve verified the change is tested and works as intended.
• CI/CD checks pass and do not break existing functionality.
• My code follows the style guidelines of this project.

[Copilot]

Pull request overview

This PR significantly expands lockfile resolver coverage by adding support for 14 package ecosystems (npm, Python, Maven, Gradle, Go, Cargo, Ruby, Docker, NuGet, Dart, Composer, Helm, Swift, and Hex). The implementation introduces a modular architecture with shared utilities for path validation and manifest parsing, allowing each ecosystem to implement standard canResolve(), detect(), and resolve() methods. The changes refactor the existing manifestParser.js to use these shared helpers for consistency.

Changes:

• Adds 14 ecosystem-specific lockfile parser modules with comprehensive dependency resolution logic
• Introduces shared utilities (shared.js, manifestHelpers.js) for path validation, file I/O, and manifest parsing
• Adds package name normalization module for consistent cross-ecosystem dependency identification
• Creates main LockfileResolver orchestrator class to manage parser registration and execution
• Refactors existing manifestParser.js to leverage shared helpers
• Includes comprehensive test suite with fixtures for all ecosystems
• Adds copyright headers to all new source files

Reviewed changes

Copilot reviewed 45 out of 57 changed files in this pull request and generated 4 comments.

Show a summary per file

File	Description
util/packageNameNormalizer.js	Provides package name normalization across 16+ ecosystems with security sanitization
util/lockfileResolver.js	Main orchestrator that manages parser registration, detection, and resolution with path validation
util/lockfileParsers/shared.js	Shared utilities: path validation, file I/O, dependency tree building, and comment/format parsing
util/lockfileParsers/manifestHelpers.js	Manifest parsing helpers for all ecosystems (26 functions, ~650 LOC)
util/lockfileParsers/{npm,python,maven,gradle,go,cargo,ruby,docker,nuget,dart,composer,helm,swift,hex}Parser.js	Ecosystem-specific parsers implementing standard resolver interface
util/manifestParser.js	Refactored to use shared helpers for consistency and maintainability
test/lockfileParsers/{npm,python,maven,docker,cargo}Parser.test.js	Comprehensive test coverage with fixture-based testing
test/helpers/fixtureWorkspace.js	Test utility functions for workspace management
test/fixtures/{ecosystem}/	Fixture files for all ecosystems

Files not reviewed (2)

• test/fixtures/npm/package-lock.json: Language not supported
• test/fixtures/npm/pnpm-lock.yaml: Language not supported

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Direct fs.promises.readdir call bypasses workspace path validation provided by the shared helpers. This is inconsistent with the security model established in lockfileResolver.js (lines 90-95) where paths are validated before use. All filesystem operations should go through resolveWorkspaceFilePath for consistent access control.