RTECO-1055 - Treat pnpm workspace as standalone

[fluxxBot]

• All tests have passed. If this feature is not already covered by the tests, new tests have been added.
• The pull request is targeting the master branch.
• The code has been validated to compile successfully by running go vet ./....
• The code has been formatted properly using go fmt ./....

---

Problem

jf pnpm install unconditionally ran pnpm ls -r --depth Infinity --json when collecting build-info. This ignored the user's workspace intent in two scenarios:

1. Sub-package invocation — cd apps/web-app && jf pnpm install produced a multi-module build-info containing every workspace package, not just web-app.
2. --ignore-workspace flag — pnpm install --ignore-workspace was honored by pnpm during install, but the subsequent pnpm ls -r re-enumerated the entire monorepo, leaking sibling/root deps into the build-info.

Downstream SBOM / Xray consumers therefore saw phantom dependencies that didn't actually belong to the built package.

Fix

The build-info pnpm ls call now matches the user's intent:

• isPnpmWorkspaceSubPackage — uses pnpm root -w plus symlink-resolved path compare. When the working directory is a workspace sub-package, -r is dropped and only the current package's deps are collected.
• extractLsForwardFlags — forwards --ignore-workspace from the install args to pnpm ls, so build-info respects the flag.
• buildPnpmLsArgs — also drops -r when --ignore-workspace is forwarded (pnpm would otherwise emit concatenated JSON arrays that aren't parseable by encoding/json).

Workspace-root invocation without --ignore-workspace keeps the existing -r multi-module behavior — no regression for current CI flows.

Summary

Adds two end-to-end tests covering the fix in jfrog-cli-artifactory that scopes pnpm build-info to the invoked package:

• TestPnpmInstallSubPackageScopesBuildInfo — runs jf pnpm install from packages/nested1/ and asserts the resulting build-info contains exactly nested1:1.0.0 with only its own loadash dependency. No xml from sibling nested2, no json from the workspace root.
• TestPnpmInstallIgnoreWorkspaceScopesBuildInfo — runs jf pnpm install --ignore-workspace from the workspace root and asserts only pnpm-workspace-root:1.0.0 with its json devDep is present (no sibling leakage).

Fixture change

The pnpmworkspace testdata is tweaked so each package has a distinct dependency, making leakage a positive assertion (presence of a foreign dep fails the test):

Location	Before	After
root (private)	xml + json (dev)	json (dev)
packages/nested1	loadash	loadash
packages/nested2	loadash	xml

Impact on existing tests

None. TestPnpmPublishWorkspace and TestPnpmInstallAndPublishWorkspace assert on structural properties (module count, tarball names, has-deps) — all still hold after the fixture change.

depends on:

1. RTECO-1055 - Treat pnpm workspace as standalone jfrog-cli-artifactory#431

[github-actions]

Thank you for your submission, we really appreciate it. Like many open-source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution. You can sign the CLA by just posting a Pull Request Comment same as the below format.

---

I have read the CLA Document and I hereby sign the CLA

---

_{You can retrigger this bot by commenting recheck in this Pull Request. Posted by the CLA Assistant Lite bot.}