JS: Recognize lazy-cache and property enumeration through libraries

[asgerf]

As a general improvement, we now recognise imports through lazy-cache:

let lazy = require('lazy-cache')(require)
lazy('mypackage')

lazy.mypackage() // actual use of 'mypackage'

The prototype pollution utility query has been improved to recognize property enumeration through a few NPM packages, such as for-own and for-in, allowing us to flag another CVE.

This currently includes more general-purpose enumerators like _.each which is possibly a bit risky, as we might pick up on places where it's always enumerating an array, but we'll see from the evaluation how it works.

[esbena]

Looks good.

I think we should have a test case or two for the lazy-cache+require combo.

We also need to update the change notes with all the libraries we end up modelling something for in this PR.

[esbena]

If the evaluation turns out fine, we should consider adding jQuery's forEach..

This particular predicate can probably be extended with a thousand more cases though...

[esbena]

This docstring needs to be more general now that propertyEnumerator includes many more cases than just for-own and for-in

[asgerf]

The evaluation shows that this PR actually fixes four timeouts that had snuck in due to a bad join ordering from a refactoring in #2731.

I'll run a quick evaluation against a commit that specifically fixes the join ordering, to see if this PR introduces any overhead of its own, possibly hidden behind the unrelated speed-up.

[asgerf]

Smoke-test evaluation against the commit that just fixes the join-ordering looks fine. Taken together with the original evaluation I'd say both this PR and the join order fix look safe.

I'll put up a separate PR for the join order fix in case a cherry-picked and/or revert is needed.

[asgerf]

Rebased on top of the fix commit. Should be ready to merge after the PR checks.

Edit: never mind, there are still outstanding review comments