Check for the presence of installed packages (NPM, PyPI etc.) even if not in dependencies file

[willgibson-madetech]

As an Engineer Running the CVE Scanner
I want installed packages to be discovered even if they are not in the dependencies file
So that things installed by other means or left lying around for other reasons are detected

[willgibson-madetech]

This may already be covered. Worth taking the time to be sure.

➜ ./scan.sh scanners/CVE-2026-33228 ../../blah/blah/blah
CVE-2026-33228 Scanner — Prototype pollution in flatted circular JSON parser via unvalidated array index keys
Scan root:     /Users/blah/blah/blah/blah/blah
Files scanned: 33677 (4291 dirs, scanned in 4m 41s)

[VULNERABLE PACKAGES]
  [HIT] /Users/blah/blah/blah/blah/blah/node_modules/flatted/package.json
        Package: flatted@3.3.3
        malicious version of flatted (supply chain compromise)
  [HIT] /Users/blah/blah/blah/blah/blah/package-lock.json
        Package: flatted@3.3.3
        malicious version of flatted (supply chain compromise)