fix: read only single package.json or package-lock.json document

Previously, this used a for loop over a json decoder, reading N
package.json objects from a file stream. Because a single file stream
containing the JSON for more than one package.json is unexpected, and
because on some filesystems the loop failed to exit, instead read a
single package.json object from the decoder.

Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>

syft/pkg/cataloger/javascript/parse_package_json.go

@@ -55,11 +55,8 @@ func parsePackageJSON(_ context.Context, _ file.Resolver, _ *generic.Environment
 	var pkgs []pkg.Package
 	dec := json.NewDecoder(reader)
 
-	for {
 	var p packageJSON
-		if err := dec.Decode(&p); errors.Is(err, io.EOF) {
-			break
-		} else if err != nil {
+	if err := dec.Decode(&p); err != nil && !errors.Is(err, io.EOF) {
 		return nil, nil, fmt.Errorf("failed to parse package.json file: %w", err)
 	}
 
@@ -69,7 +66,6 @@ func parsePackageJSON(_ context.Context, _ file.Resolver, _ *generic.Environment
 		pkgs,
 		newPackageJSONPackage(p, reader.Location.WithAnnotation(pkg.EvidenceAnnotationKey, pkg.PrimaryEvidenceAnnotation)),
 	)
-	}
 
 	pkg.Sort(pkgs)
 

syft/pkg/cataloger/javascript/parse_package_lock.go

@@ -66,13 +66,9 @@ func (a genericPackageLockAdapter) parsePackageLock(_ context.Context, resolver
 	dec := json.NewDecoder(reader)
 
 	var lock packageLock
-	for {
-		if err := dec.Decode(&lock); errors.Is(err, io.EOF) {
-			break
-		} else if err != nil {
+	if err := dec.Decode(&lock); err != nil && !errors.Is(err, io.EOF) {
 		return nil, nil, fmt.Errorf("failed to parse package-lock.json file: %w", err)
 	}
-	}
 
 	if lock.LockfileVersion == 1 {
 		for name, pkgMeta := range lock.Dependencies {