fix(arborist): honor omit flags for deps of linked-in packages (#9624)

[Sanjays2402]

Description

npm audit --production (and npm audit --omit=dev / --omit=optional / --omit=peer) was reporting vulnerabilities in the dev dependencies of npm link-ed packages.

Reproduction from issue #9624:

1. Find a package foo where npm audit fails on its dev deps.
2. Run npm link inside foo.
3. In another project that depends on foo, run npm link foo.
4. Run npm audit --production.

Expected: the linked package's dev deps are ignored, the same way they are for direct dev deps of the consumer.
Actual: the linked package's dev deps were audited and reported.

The cause is in Node#shouldOmit (workspaces/arborist/lib/node.js). The method bails out early whenever the node's top is not the project root or a workspace:

const { top } = this
if (!top.isProjectRoot && !top.isWorkspace) {
  return false
}

For a node that lives inside a npm link-ed package, top is the link target, which is its own filesystem root (isTop === true, parent === null) and is therefore neither isProjectRoot nor isWorkspace. The omit gate never runs, so shouldOmit returns false for every flavor of omit and AuditReport#prepareBulkData includes the linked package's devDependencies in the bulk request even when the caller asked for omit=['dev']. calcDepFlags already classifies those nodes correctly (devdep.dev === true), so this was strictly the gate that was wrong.

The fix keeps the original gate but adds one more accepted case: if the top is a link target whose .root still resolves to the consuming project root (or a workspace), and the link is actually wired into the project (top.linksIn.size > 0), fall through to the usual dev/optional/peer/devOptional flag check instead of bailing out. The dep flags themselves are unchanged, so omit=dev now correctly hides the linked package's devDependencies while still keeping its prod deps.

Existing Issue

Fixes #9624

Screenshots

N/A, behavior change is observable through the audit bulk payload and the report itself.

AI Disclosure

This change was written with the assistance of Claude. I have reviewed the diff and the test and take responsibility for the code.

Test Coverage

Added a regression test in workspaces/arborist/test/audit-report.js that builds a small tree directly with Node and Link:

• a project root that consumes foo via a Link
• foo target with proddep (prod) and devdep (dev) children
• runs calcDepFlags then checks AuditReport#prepareBulkData() with and without omit: ['dev']

The test verifies all four directions:

• no omit + linked dev dep => audited
• no omit + linked prod dep => audited
• omit=['dev'] + linked dev dep => omitted (the bug)
• omit=['dev'] + linked prod dep => still audited (regression guard)

Verified the test fails on latest at exactly the new assertion (linked package's dev dep is omitted under omit=dev) and passes with the patched Node#shouldOmit. Also ran the full workspaces/arborist/test/audit-report.js, workspaces/arborist/test/arborist/audit.js, and workspaces/arborist/test/node.js suites locally and they all pass with the change in place.