fix(cli): include dev dependencies in npm version lookup

[sakul-learning]

Summary

• Include dev dependencies when npm is used to detect the installed cdktn / cdktf package version.
• Add regression coverage for the npm package-version lookup arguments.

Fixes: #278

Testing

• pnpm nx test @cdktn/commons --runInBand --testFile=src/debug.test.ts
• pnpm nx build cdktn-cli
• Validated the linked repro with the locally built CLI:
  • cdktn debug
  • cdktn provider list
  • cdktn provider add random

[forivall]

@sakul-learning Could you also validate with the repro repo using yarn instead of npm?

[sakul-learning]

@forivall I validated the repro against Yarn classic as well.

What I tested:

• Fresh clone of forivall/cdktn-workspace-bug
• Removed package-lock.json
• Installed with Yarn classic (yarn 1.22.22), producing yarn.lock

Results:

• Baseline cdktn@0.23.3 still reproduces the original failure:
  • npx --no-install cdktn debug
  • exits 1
  • External Error: Could not determine cdktf/cdktn version...
• Using the locally built CLI from this PR in the same Yarn-installed repro:
  • cdktn debug exits 0
  • cdktn provider list exits 0

So the PR fix is validated for the Yarn version-lookup repro: the npm list ... --include=dev change lets the CLI find cdktn even when the project was installed with Yarn classic and the dependency is only in devDependencies.

One caveat: cdktn provider add random gets past the version-detection problem and finds the prebuilt provider, but then fails differently because Yarn classic refuses to add a dependency at the workspace root unless the command uses -W / --ignore-workspace-root-check:

Running this command will add the dependency to the workspace root rather than the workspace itself...

That looks like a separate Yarn/workspace behavior, not the original version-lookup bug fixed here.

Also, on the CI failures: I was able to reproduce intermittent Terraform Registry failures right now, even though the HashiCorp status page reports "fully operational". The failed integration logs show Terraform timing out while querying provider download metadata, e.g.:

could not query provider registry for registry.terraform.io/hashicorp/kubernetes
Client.Timeout exceeded while awaiting headers

I also hit a timeout locally against the same registry endpoint, and then it responded later. That makes the current integration failures look like Terraform Registry/service instability rather than something caused by this PR.

EDIT: Confirmed Hashicorp services incident

[so0k]

@sakul-learning Could you also validate with the repro repo using yarn instead of npm?

just curious, yarn classic is in maintenance mode and lacks quite a few supply chain attack safeguards, cdktn migrated to pnpm due to that