bug: harden `npmDefaultRegistryMatcher`

[jkowalleck]

const npmDefaultRegistryMatcher = /^https?:\/\/registry\.npmjs\.org/

This hostname pattern may match any domain name, as it is missing a '$' or '/' at the end.

vector: register registry.npmjs.org.badactor.net --

see https://github.com/CycloneDX/cyclonedx-javascript-library/security/code-scanning/1

[jkowalleck]

fix: const npmDefaultRegistryMatcher = /^https?:\/\/registry\.npmjs\.org(:?\/|$)/