feat: use npm bulk audit endpoint

[jasonpaulos]

Update @pnpm/audit to use the npm bulk audit endpoint. Additionally, use the package @npmcli/metavuln-calculator to calculate meta-vulnerabilities similar to how npm audit behaves ref.

This will enable pnpm to automatically fix vulnerable dependencies similar to npm audit fix.

Work needed:

• Call bulk audit endpoint instead of quick audit endpoint
• Return the results in a format similar to AuditReport from the @npmcli/arborist Arborist.audit() method
• Support for identifying force fixing opportunities, where updating a top-level dependency to a higher semver major version would resolve the vulnerability
• Use the report to make changes to the lockfile dependency tree to fix the vulnerabilities
• More testing

[zkochan]

What is bulk audit and how does it differ from the endpoint that we currently use?

[jasonpaulos]

The best public documentation about the bulk audit endpoint is here: https://docs.npmjs.com/cli/v11/commands/npm-audit#audit-endpoints. The bulk audit endpoint is a newer, simpler endpoint that takes a list of dependencies and versions instead of an entire tree.

Originally, I thought migrating to the bulk audit endpoint would be necessary for the audit command to support updating packages directly in the lockfile instead of adding overrides. However, I realized this isn't true, so I started a new PR which adds audit update support without changing the audit endpoint. I think that is a better place to start, so I will close this in favor of the new PR #10341

It likely does make sense to add the ability to use the bulk audit endpoint as well, but that can be done after.