fix(arborist): don't load store packages' devDependencies as required edges

[manzoorwanijk]

In continuation of our exploration of using install-strategy=linked in the Gutenberg monorepo, which

Under install-strategy=linked, npm sbom exited non-zero with ESBOMPROBLEMS, reporting the devDependencies of transitive packages (e.g. matcha, tape) as missing: ... required by .... Those dev dependencies are correctly not installed (the same is true under hoisted), yet only the linked strategy treated them as missing-and-required. Hoisted produced a clean SBOM for the same dependency set.

Why

A package in the linked strategy's store lives at node_modules/.store/<key>/node_modules/<pkg>, which makes it a structural tree top (isTop, no parent). Node._loadDeps loads devDependencies for every top node, so each store package — a transitive dependency whose devDependencies are never installed — gained required dev edges. npm sbom reads the filesystem tree via loadActual, queries it, and flags every non-optional missing edge, so those spurious dev edges surfaced as ESBOMPROBLEMS. Standalone npm audit was unaffected because it audits the virtual tree from the lockfile. Hoisted was unaffected because its transitive packages have a real parent, so they are not tops and never load devDependencies.

How

load-actual.js now flags a node as isInStore when its realpath sits inside a node_modules/.store/ directory, matching the flag the isolated reifier already sets on ideal-tree store nodes. Node._loadDeps excludes store nodes from the devDependency load (isTop && !globalTop && path && !this.isInStore), so a store package — a transitive dependency by definition — never gains required dev edges. This makes the linked actual tree's edge semantics match hoisted.

References

Fixes #9610
Part of #9608