Syft Extract dependencies from Package.json in JavaScript Package Cataloger

[murarishetti]

What would you like to be added:
Today, JavaScript package cataloger parses only parent name and version but it did not extract dependencies listed in package.json

Why is this needed:
It is a gap in the parser and we are missing dependencies listed in the package manager file

Additional context:
In the below package.json file, Syft today extracts only name and version but not dependencies listed.

Source/Input: "Directory"

{
    "name": "test-3p",
    "version": "0.0.1",
    "description": "Test",
    "lockfileVersion": 1,
    "engines": {
      "node": ">=16.17.1"
    },
    "dependencies": {
      "loadash": "4.17.15",
      "epxress": "4.17.1"
    }
}

[wagoodman]

For who picks this up: we should clarify is this a directory scan or an image scan. We've coupled this to #572 which is about adding edges... but this issue is about adding nodes to the SBOM based. We should look at our existing catalogers carefully here: if we start picking up dependencies from the package.json how will this affect both dir scans (where there might not be a node_modules dir but tends to be a package-lock.json) vs an image scan (where there is no source repo, but there tends to be a populated node_modules dir).

[murarishetti]

Input is a directory but node_modules and package-lock.json are not available.