BUG: --npm wrong input does not throw error

[gabibguti]

Describe the bug Scorecard can receive as input the name of the package from npm, pypi and rubygems ecosystems as per the documentation. Reading the documentation, it was not clear to me that I needed to provide the package name and providing a package URL does not throw an error but runs the evaluation with a weird behavior.

Reproduction steps Steps to reproduce the behavior:

1. Run Scorecard v4.10.2 with --npm=https://github.com/airbnb/lottie-web
2. See output results for repo: name: github.com/perrmadiafrrian/react-lottie-light

Expected behavior I expected Scorecard would warn me I made a mistake in the --npm flag input and not run the evaluation for an unexpected repository.

Additional context None.

[spencerschrock]

Has to do with the implementation using npm's search functionality: https://www.npmjs.com/search?q=https%3A%2F%2Fgithub.com%2Fairbnb%2Flottie-web https://github.com/ossf/scorecard/blob/4cd5446862ea4c470810fea81fc7f45a36d04dec/cmd/package_managers.go#L81-L84

If we do a different endpoint, could probably catch this sort of thing: https://registry.npmjs.org/<package>

https://registry.npmjs.org/lottie-web works https://registry.npmjs.org/https://github.com/airbnb/lottie-web doesn't work

[spencerschrock]

Also related to #2441