refactor(shrinkwrap-extractor): Refactor test fixtures (#1226)

The `shrinkwrap-extractor` tests use real `package-lock.json` samples as
fixtures. GitHub Dependabot scans all `package-lock.json` files in the
repository and reports vulnerabilities, even though these are:
- Test-only data files (never installed or executed)
- Part of a private package (`shrinkwrap-extractor`)
- Parsed virtually by `@npmcli/arborist.loadVirtual()` without
installing packages

This creates false-positive security alerts at
https://github.com/UI5/cli/security/dependabot.

The solution is to rename test fixtures from `package-lock.json` to
`package-lock.fixture.json` so Dependabot ignores them.

Since `@npmcli/arborist.loadVirtual()` requires a file named exactly
`package-lock.json`, we create temporary symlinks during test execution.
Symlinks are automatically cleaned up after each test.

Author: d3xter666

…valid/invalid-packages/package-lock.json …valid-packages/package-lock.fixture.jsoninternal/shrinkwrap-extractor/test/fixture/invalid/invalid-packages/package-lock.json renamed to internal/shrinkwrap-extractor/test/fixture/invalid/invalid-packages/package-lock.fixture.json internal/shrinkwrap-extractor/test/fixture/invalid/invalid-packages/package-lock.json renamed to internal/shrinkwrap-extractor/test/fixture/invalid/invalid-packages/package-lock.fixture.json

@@ -1,5 +1,5 @@
 import path from "node:path";
-import {readFile, mkdir, writeFile, unlink} from "node:fs/promises";
+import {readFile, mkdir, writeFile, unlink, symlink} from "node:fs/promises";
 import convertPackageLockToShrinkwrap from "../../lib/convertPackageLockToShrinkwrap.js";
 import {test} from "node:test";
 import assert from "node:assert";
@@ -18,10 +18,27 @@ function setupPacoteMock() {
 	});
 }
 
+/**
+ * Create a temporary symlink from package-lock.fixture.json to package-lock.json
+ * This is needed because @npmcli/arborist.loadVirtual() expects package-lock.json
+ *
+ * @param {string} fixtureDir - Directory containing the fixture file
+ * @returns {Promise<string>} Path to the created symlink
+ */
+async function setupFixtureSymlink(fixtureDir) {
+	const symlinkPath = path.join(fixtureDir, "package-lock.json");
+	const targetPath = "package-lock.fixture.json";
+	await symlink(targetPath, symlinkPath);
+	return symlinkPath;
+}
+
 test("Convert package-lock.json to shrinkwrap", async (t) => {
 	const __dirname = import.meta.dirname;
 
 	const cwd = path.join(__dirname, "..", "fixture", "project.a");
+	const symlinkPath = await setupFixtureSymlink(cwd);
+	t.after(async () => await unlink(symlinkPath).catch(() => {}));
+
 	const targetPackageName = "@ui5/cli";
 	const shrinkwrapJson = await convertPackageLockToShrinkwrap(cwd, targetPackageName);
 
@@ -80,6 +97,9 @@ test("Compare generated shrinkwrap with expected result", async (t) => {
 
 	// Generate shrinkwrap from fixture
 	const cwd = path.join(__dirname, "..", "fixture", "project.a");
+	const symlinkPath = await setupFixtureSymlink(cwd);
+	t.after(async () => await unlink(symlinkPath).catch(() => {}));
+
 	const targetPackageName = "@ui5/cli";
 	const generatedShrinkwrap = await convertPackageLockToShrinkwrap(cwd, targetPackageName);
 
@@ -131,6 +151,9 @@ test("Compare generated shrinkwrap with expected result", async (t) => {
 
 	// Generate shrinkwrap from fixture
 	const cwd = path.join(__dirname, "..", "fixture", "project.b");
+	const symlinkPath = await setupFixtureSymlink(cwd);
+	t.after(async () => await unlink(symlinkPath).catch(() => {}));
+
 	const targetPackageName = "@ui5/cli";
 
 	const generatedShrinkwrap = await convertPackageLockToShrinkwrap(cwd, targetPackageName);
@@ -150,6 +173,8 @@ test("Compare generated shrinkwrap with expected result", async (t) => {
 test("Error handling - invalid target package name", async (t) => {
 	const __dirname = import.meta.dirname;
 	const validCwd = path.join(__dirname, "..", "fixture", "project.a");
+	const symlinkPath = await setupFixtureSymlink(validCwd);
+	t.after(async () => await unlink(symlinkPath).catch(() => {}));
 
 	await assert.rejects(
 		convertPackageLockToShrinkwrap(validCwd, null),
@@ -170,6 +195,8 @@ test("Error handling - invalid target package name", async (t) => {
 test("Error handling - target package not found", async (t) => {
 	const __dirname = import.meta.dirname;
 	const validCwd = path.join(__dirname, "..", "fixture", "project.a");
+	const symlinkPath = await setupFixtureSymlink(validCwd);
+	t.after(async () => await unlink(symlinkPath).catch(() => {}));
 
 	await assert.rejects(
 		convertPackageLockToShrinkwrap(validCwd, "non-existent-package"),
@@ -187,28 +214,45 @@ test("Error handling - invalid workspace directory", async (t) => {
 test("Error handling - invalid package-lock.json files", async (t) => {
 	const __dirname = import.meta.dirname;
 
+	// Setup symlinks for all invalid fixtures
+	const malformedDir = path.join(__dirname, "..", "fixture", "invalid", "malformed");
+	const noPackagesDir = path.join(__dirname, "..", "fixture", "invalid", "no-packages");
+	const invalidPackagesDir = path.join(__dirname, "..", "fixture", "invalid", "invalid-packages");
+	const v2Dir = path.join(__dirname, "..", "fixture", "invalid", "v2");
+
+	const symlinks = [
+		await setupFixtureSymlink(malformedDir),
+		await setupFixtureSymlink(noPackagesDir),
+		await setupFixtureSymlink(invalidPackagesDir),
+		await setupFixtureSymlink(v2Dir)
+	];
+
+	// Cleanup all symlinks after test
+	t.after(async () => {
+		await Promise.all(symlinks.map((link) => unlink(link).catch(() => {})));
+	});
+
 	// Test malformed JSON
 	await assert.rejects(
-		convertPackageLockToShrinkwrap(path.join(__dirname, "..", "fixture", "invalid", "malformed"), "@ui5/cli"),
+		convertPackageLockToShrinkwrap(malformedDir, "@ui5/cli"),
 		/Unexpected token/
 	);
 
 	// Test missing packages field
 	await assert.rejects(
-		convertPackageLockToShrinkwrap(path.join(__dirname, "..", "fixture", "invalid", "no-packages"), "@ui5/cli"),
+		convertPackageLockToShrinkwrap(noPackagesDir, "@ui5/cli"),
 		/Invalid package-lock\.json: missing packages field/
 	);
 
 	// Test invalid packages field
 	await assert.rejects(
-		convertPackageLockToShrinkwrap(
-			path.join(__dirname, "..", "fixture", "invalid", "invalid-packages"), "@ui5/cli"),
+		convertPackageLockToShrinkwrap(invalidPackagesDir, "@ui5/cli"),
 		/Invalid package-lock\.json: packages field must be an object/
 	);
 
 	// Test unsupported lockfile version
 	await assert.rejects(
-		convertPackageLockToShrinkwrap(path.join(__dirname, "..", "fixture", "invalid", "v2"), "@ui5/cli"),
+		convertPackageLockToShrinkwrap(v2Dir, "@ui5/cli"),
 		/Unsupported lockfile version: 2\. Only lockfile version 3 is supported/
 	);
 });