feat(dlx): add @npmcli/arborist for dependency installation

Add Arborist to properly install package dependencies after extraction.
pacote.extract() only extracts the package tarball but does NOT install
dependencies. We must use Arborist to install dependencies for dlx packages.

Changes:
- Add @npmcli/arborist to build-externals config
- Add arborist type definitions and stub
- Use Arborist.buildIdealTree() and reify() after pacote extraction
- Configure arborist with same cache path as pacote for consistency
- Skip devDependencies (production-only, matching npx behavior)

This ensures dlx packages have their dependencies properly installed.

chore(deps): update tooling versions and add @npmcli/arborist

- Update pnpm: 10.21.0 → 10.22.0
- Update Node.js minimum: >=18 → >=22
- Add @npmcli/arborist@9.1.4 to devDependencies
- Add @yarnpkg/core@4.5.0 to devDependencies
- Update pnpm-lock.yaml with new dependencies

test: add @npmcli/arborist to external bundling tests

Add test validation for @npmcli/arborist in dist/external/ to ensure:
- Package is properly bundled (file exists and > 1KB)
- Package is not a stub re-export
- Package exports are correctly transformed

Follows the same pattern as existing @InQuirer module tests.

fix(dlx): prevent post-install scripts from running

Add ignoreScripts: true to Arborist options to prevent install and
post-install scripts from running during dlx package installation.
This is a security measure to prevent potentially malicious scripts
from executing during dependency installation.

Author: jdalton

package.json

@@ -1,7 +1,7 @@
 {
   "name": "@socketsecurity/lib",
   "version": "3.3.1",
-  "packageManager": "pnpm@10.21.0",
+  "packageManager": "pnpm@10.22.0",
   "license": "MIT",
   "description": "Core utilities and infrastructure for Socket.dev security tools",
   "keywords": [
@@ -649,7 +649,7 @@
     "CHANGELOG.md"
   ],
   "engines": {
-    "node": ">=18",
+    "node": ">=22",
     "pnpm": ">=10.21.0"
   },
   "sideEffects": false,
@@ -680,6 +680,7 @@
     "@inquirer/password": "4.0.18",
     "@inquirer/search": "3.1.1",
     "@inquirer/select": "4.3.2",
+    "@npmcli/arborist": "9.1.4",
     "@npmcli/package-json": "7.0.0",
     "@npmcli/promise-spawn": "8.0.3",
     "@socketregistry/is-unicode-supported": "1.0.5",
@@ -690,6 +691,7 @@
     "@typescript/native-preview": "7.0.0-dev.20250920.1",
     "@vitest/coverage-v8": "4.0.3",
     "@vitest/ui": "4.0.3",
+    "@yarnpkg/core": "4.5.0",
     "@yarnpkg/extensions": "2.0.6",
     "cacache": "20.0.1",
     "debug": "4.4.3",