refactor(audit): read attestation bundles from separate _attestationBundles attribute

Update verify-signatures to destructure _attestationBundles from the
pacote manifest (a separate attribute from _attestations) and include
it in the verified entries JSON output. This aligns with the pacote
change that stores bundles on a separate _ attribute to avoid future
collisions with registry schema.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Author: Mitch Denny

lib/utils/verify-signatures.js

@@ -297,6 +297,7 @@ class VerifySignatures {
       _integrity: integrity,
       _signatures,
       _attestations,
+      _attestationBundles,
       _resolved: resolved,
     } = await pacote.manifest(`${name}@${version}`, {
       verifySignatures: true,
@@ -309,6 +310,7 @@ class VerifySignatures {
       integrity,
       signatures,
       attestations: _attestations,
+      attestationBundles: _attestationBundles,
       resolved,
     }
     return result
@@ -334,9 +336,8 @@ class VerifySignatures {
     }
 
     try {
-      const { integrity, signatures, attestations, resolved } = await this.verifySignatures(
-        name, version, registry
-      )
+      const { integrity, signatures, attestations, attestationBundles, resolved } =
+        await this.verifySignatures(name, version, registry)
 
       // Currently we only care about missing signatures on registries that provide a public key
       // We could make this configurable in the future with a strict/paranoid mode
@@ -365,6 +366,7 @@ class VerifySignatures {
             location,
             registry,
             attestations,
+            attestationBundles,
           })
         }
       }