fix: correctly deserialize npm packages in lockfile (#4370)
### Description
Fixes #4365
1.8.6 was our first release with the Rust npm lockfile implementation.
It wasn't correctly deserializing `optionalDependencies` so they were
ending up in the `other` field which isn't used for lockfile analysis.
### Testing Instructions
Added failing unit test. Can also verify that pruning a project that
depends on `turbo` now includes all of the possible binaries.
fix WEB-806 ([link](https://linear.app/vercel/issue/WEB-806))
