fix(audit): exclude locally linked packages from vulnerability audit

[lucas-gomes-santana]

Summary

Fixes #8920

npm audit was reporting false positive critical vulnerabilities for packages that resolve to local folders via symlinks ("link": true in package-lock.json).

---

Root Cause

When a package-lock.json declares a locally linked package, Arborist creates two nodes in the dependency tree:

• A Link node at node_modules/<package-name> (with isLink = true)
• A regular Node at the resolved local path (the symlink target, with linksIn.size > 0)

The shouldAudit() method in audit-report.js was not excluding either of these nodes, so both were included in the bulk advisory payload sent to the registry. If a package on the registry happened to share the same name and version as the local package, its vulnerabilities would be incorrectly reported against the local one.

This was affecting real-world projects, such as the Microsoft Authentication Library for JS, which has an internal package named electron-test-app that coincidentally shares its name with a known malware package on the registry.

---

Fix

In workspaces/arborist/lib/audit-report.js, the shouldAudit() method now returns false for:

• node.isLink — the symlink node itself
• node.linksIn?.size > 0 — the local target folder the symlink points to

This prevents locally resolved packages from ever reaching the registry bulk advisory request.

---

Testing

Added a new test case and fixture (audit-linked-package) to workspaces/arborist/test/audit-report.js that:

• Sets up a project with a locally linked package that shares its name with a vulnerable registry package
• Asserts that no vulnerability is reported
• Asserts that no unexpected request is made to the registry (enforced by MockRegistry strict mode)