Add pnpm-lock.yaml support

[ejntaylor]

Summary

• Adds a zero-dep parser for pnpm-lock.yaml so projects using pnpm (common output of v0, Bolt, Lovable, and other vibe-coding platforms) can scan with @patchstack/connect instead of hitting LOCKFILE_UNSUPPORTED.
• Handles every pnpm lockfile generation: v5 slash-separated (/pkg/1.0.0), v6–v8 leading-slash with @ and (peer) suffix, and v9 unquoted/quoted keys.
• Marks direct dependencies from importers: (v9) or top-level dependencies / devDependencies / optionalDependencies (v6–v8 single-project lockfiles). Best-effort: transitive packages are reported but not flagged as direct, matching the npm parser's behaviour.
• Detection routes pnpm before yarn so an in-progress yarn migration with both lockfiles present still works. package-lock.json continues to win when both are present (verified by test).
• Yarn remains "coming soon" — the detector and DetectionStrategy union already have slots for it, so wiring it up is a follow-up of the same shape.

Test plan

• npm run typecheck — clean
• npm test — 67/67 pass (16 new pnpm tests)
• npm run build — bundles updated dist/
• Manual: run npx @patchstack/connect scan --dry-run in a real pnpm-scaffolded project (e.g. a v0/Bolt export) and confirm the payload lists every package
• Manual: run against a workspace-mode pnpm repo and confirm direct-dep marking for the root importer

🤖 Generated with Claude Code

[ejntaylor]

/review

[coderbuds]

Migration covering the required updates.

🎯 Quality: 70% Good · 📦 Size: Oversized — strongly consider breaking this down

📈 This month: Your 53rd PR — above team average · Averaging Good

_{See how your team is trending →}