fix: nodejs transitive with a top level alias but transitive it not

[JamesPatrickGill]

• Tests written and linted
• Documentation written / README.md updated https://snyk.io/docs/snyk-for-node/
• Follows CONTRIBUTING agreement
• Commit history is tidy https://git-scm.com/book/en/v2/Git-Branching-Rebasing
• Reviewed by Snyk team

What this does

Fixes a bug in npm lockfile v2 parsing where dependencies could not be resolved when a top-level alias shadows a nested real package.

Example scenario:

• Root package.json has "@types/node": "npm:@types/web@^0.0.148" (aliased)
• A nested dependency (apache-arrow) depends on the real "@types/node": "^20.13.0"
• The lockfile has both: node_modules/@types/node (actually @types/web) and node_modules/apache-arrow/node_modules/@types/node (real @types/node)

Previously, the code resolved the package name from the first candidate globally, causing the nested real @types/node to be incorrectly filtered out during ancestry matching (because it expected @types/web in the ancestry). This resulted in a false OutOfSyncError.

The fix moves the name resolution inside the candidate filter loop so each candidate resolves its own real package name for ancestry matching.

Notes for the reviewer

To reproduce the original issue:
npx jest test/jest/dep-graph-builders/npm-lock-v2.test.tsThe new test fixture nested-non-alias-with-top-level-alias covers this specific edge case where:

1. A top-level dependency is aliased (@types/node → @types/web)
2. A transitive dependency requires the real package (@types/node@^20.13.0)
3. Both exist in the lockfile at different paths

More information

• SC-XXXX
• Link to documentation

Screenshots

N/A - internal parsing logic change

[snyksec]

🎉 This PR is included in version 2.4.4 🎉

The release is available on:

• npm package (@latest dist-tag)
• GitHub release

Your semantic-release bot 📦🚀