fix(libnpmexec): correctly resolve workspace dependency binaries from graph

[arjun-vegeta]

Description:
Fixes #9640

Bug:
When running npm exec with a workspace-scoped dependency that shares a binary name with a root-hoisted dependency from another workspace, the root-hoisted binary is incorrectly executed instead of the locally specified dependency.

Root Cause:
Under workspace hoisting, multiple workspaces might use tools that expose identically-named binaries (e.g. shared-bin). Because npm links hoisted dependencies to node_modules/.bin at the root, the root .bin directory will only contain a single symlink for shared-bin (pointing to whichever package got hoisted).
libnpmexec was previously falling back to searching .bin directories via localFileExists(), meaning it would always incorrectly execute the hoisted root symlink, completely ignoring the specific dependency version declared by the active workspace.

Fix:

• Detect when npm exec is invoked from within a workspace (opts.pkgPath !== path).
• Hook into the arborist graph and directly traverse the edgesOut of the specific workspace node to find the correctly scoped dependency's bin path natively.
• Skip the hoisted .bin fallback search entirely when inside a workspace context, effectively isolating executions from root-hoisted symlink collisions.

Testing:

• Added a full integration test in test/local.js that exactly mimics the shared-bin hoist collision from the bug report.
• All tests pass 100%.

[owlstronaut]

Thanks for digging into this, but I ran your exact repro on the branch and it still prints  A bin / A bin  under workspace hoisting only one  shared-bin  link gets created (→tool-a), so the  binPaths  change doesn't actually fix #9640

[arjun-vegeta]

Thanks for digging into this, but I ran your exact repro on the branch and it still prints  A bin / A bin  under workspace hoisting only one  shared-bin  link gets created (→tool-a), so the  binPaths  change doesn't actually fix #9640

Thanks for testing it out. The old binPaths approach was a dead end because of how the hoisted .bin symlink gets overwritten at the root

I just pushed a complete rewrite. I dropped the binPaths idea entirely and instead hooked into the Arborist tree. Now, if it detects it's running inside a workspace, it walks the actual dependency graph (edgesOut) for that specific workspace node to find the correct binary path directly (e.g., node_modules/tool-b/cli.js), completely bypassing the hoisted .bin folder

The repro now outputs A bin / B bin correctly, and I've added full integration tests for the hoisted edge-case. Can you test it out once more and let me know how it goes