feat(manager/pep621): extract locked versions from pdm.lock

[Churro]

Changes

Adds parsing capabilities for pdm.lock files. This enables the extraction of locked versions from pdm.lock analogous to what others managers do (e.g., poetry in schema.ts and extract.ts).

For separation of concerns, I added a new extractLockedVersions() method since process() is still extracting dev dependencies and wouldn't even proceed if no tool.pdm section exists in pyproject.toml. However, this section is optional, so to identify pdm, a check for build-system was added in extractLockedVersions().

Context

I'm testing the different managers with osv.dev and noticed that no vulnerability alerts are created for pep621 / pdm if dependencies are not declared with exact versions. This is fixed by this PR with the extraction of locked versions (see test repo below).

Documentation (please check one with an [x])

• I have updated the documentation, or
• No documentation update is required

How I've tested my work (please select one)

I have verified these changes via:

• Code inspection only, or
• Newly added/modified unit tests, or
• No unit tests but ran on a real repository, or
• Both unit tests + ran on a real repository

Test repo: renovate-demo/renovate-osv-pypi#5

[renovate-release]

🎉 This PR is included in version 37.226.0 🎉

The release is available on:

• GitHub release
• npm package (@latest dist-tag)
• 37.226.0

Your semantic-release bot 📦🚀