Add yarn.lock support (classic v1 and berry)

[ejntaylor]

Summary

• Adds a zero-dep parser for yarn.lock covering both yarn classic (v1, version "x" field syntax) and yarn berry (v2+, YAML-style version: x with __metadata header and npm: protocol descriptors).
• Handles multi-descriptor blocks ("axios@^1.6.0", "axios@~1.6.0":), quoted-comma edge cases, scoped names, and dedupes blocks that resolve to the same name@version.
• Direct-vs-transitive marking cross-references the sibling package.json (yarn's lockfile, unlike pnpm v9's, doesn't record an importer manifest). Missing or unreadable package.json leaves entries unmarked rather than failing the scan.
• Detection priority is now npm > pnpm > yarn > bun, matching what each package manager itself prefers when multiple lockfiles are present — important for in-progress migrations.

Stacked on pnpm PR

Based on #15 so the diff here only shows yarn changes. GitHub will auto-retarget to main when #15 merges.

Test plan

• npm run typecheck — clean
• npm test — 88/88 pass (21 new yarn tests; pnpm tests still green)
• npm run build — bundles updated dist/
• Manual: run npx @patchstack/connect scan --dry-run against a real yarn classic project (e.g. a Next.js app generated with yarn create next-app)
• Manual: same against a yarn berry / PnP project, confirm direct deps from package.json are flagged

🤖 Generated with Claude Code

[coderbuds]

Migration covering the required updates.

🎯 Quality: 70% Good · 📦 Size: Oversized — strongly consider breaking this down

📈 This month: Your 55th PR — above team average · Averaging Good

_{See how your team is trending →}

[ejntaylor]

/review