package.json parser fails on object notation for workspaces

[pjungermann]

Currently, the workspaces field in package.json files is only allowed to be an array of strings. However, it has also an object version.

https://classic.yarnpkg.com/blog/2018/02/15/nohoist/

Example

  "workspaces": {
    "packages": [
      "packages/*",
      "plugins/*"
    ]
  },

Ref to an active open-source project using this notation:
https://github.com/backstage/backstage/blob/master/package.json#L52

Impact e.g. on Trivy scans:

Unable to parse "package.json" to remove dev dependencies: unable to parse .: parse error: JSON decode error: json: cannot unmarshal object into Go struct field packageJSON.workspaces of type []string