feat: allow deeply out of sync lockfile

[lili2311]

• [x] Tests written and linted
• [ ] Documentation written / README.md updated https://snyk.io/docs/snyk-for-node/
• [x] Follows CONTRIBUTING agreement
• [x] Commit history is tidy https://git-scm.com/book/en/v2/Git-Branching-Rebasing
• [x] Reviewed by Snyk team

What this does

Yarn workspaces introduces complexity where local packages are mentioned as required dependency but are not present on the lockfile this means that the lockfile is considered deeply out of sync by the plugin.

Allow to skip the check if user is calling with StrictOutOfSync=false not just for top level dependencies but also the transitives as a package can rely on another local workspace which lists a workspace as a dep.

Notes for the reviewer

We already allow skipping out of sync check/error but we still had a place where it is deeper than the top level dependencies that would also throw. Unfortunately Yarn Workspace is indeed hitting this error.

The changes allow us to successfully scan https://github.com/RoadieHQ/backstage-plugin-travis-ci which previously failed

More information

• https://github.com/snyk/snyk/issues/2126

Screenshots

Before

After

[snyksec]

:tada: This PR is included in version 1.37.0 :tada:

The release is available on:

• npm package (@latest dist-tag)
• GitHub release

Your semantic-release bot :package::rocket: