Use explicitlyReferencedComponentIds to determine which packages are direct

[juxtin]

This is a big change from how we've been doing this, but it's much more likely to be accurate.

We typically consider a dependency direct iff it is explicitly listed as a dependency at the top level. The explicitlyReferencedComponentIds field in the Component Detection output corresponds to this, so it should be the only thing we need to check when determining if a dependency is direct or transitive.

The main risk here as I see it is an unfortunate difference in the way paths are represented in that section (dependencyGraphs) vs later on in the components:

  "dependencyGraphs": {
    "/workspaces/component-detection-dependency-submission-action/test/package.json": {
      "graph": {
        "Conda-dependency-submission-action 1.0.0 - Npm": null
      },
      "explicitlyReferencedComponentIds": [],
      "developmentDependencies": [],
      "dependencies": []
    },

vs

    {
      "locationsFoundAt": [
        "/package.json"
      ],
      "component": {
        "name": "Conda-dependency-submission-action",
        "version": "1.0.0",

So most of the time, manifest paths are given relative to the repository root. In dependencyGraphs, they're given as absolute filesystem paths. That creates the risk that we'll mess up the mapping from one to the other. For now, I think the way I've written this is likely to work, but it's a little risky still.

[juxtin]

In my test repo, this works as expected 🎉

What I'm still concerned about:

1. Situations where the filePath is overridden to some special value.
2. Ecosystems other than Python/uv.

[Ahmed3lmallah]

LGTM!

[ljones140]

Nice

This does feel a bit more robust that the top level referrers logic we previously went with. The trade off being now we have to worry about file path conversions

[juxtin]

New code to eliminate self-referential paths

[Ahmed3lmallah]

New changes look good. Thanks!