perf: parallelize signing

[SuperDisk]

When you're signing an application that includes a lot of native code, e.g. dylibs and executables, the time it takes to sign it all can balloon up to hours-- this is the case for myself on a project that includes GStreamer (which is massive).

This commit does signing in parallel. It's slightly nuanced-- the Apple code signing tool can't operate on a higher directory level directory while signing is going on below, so we need to handle it at the leaf nodes first and then continue upwards. It's really weird and unintuitive, but oh well; this PR handles those cases properly.

For me this knocks signing time down from hours to about a minute.

Additionally, this PR fixes a bug in the existing code, where stat is incorrectly used instead of lstat, meaning that the later check in the code for .isSymbolicLink() would never return true.

[erickzhao]

Note that a maintainer is going to have to revert the lockfile changes as well and re-apply them as per our dependency policy.

I'm not sure why all the URLs are being switched to npmjs.org here.

[SuperDisk]

Sure-- sorry, I just quickly slapped this PR up since it had just been sitting on my machine and I just wanted it to see the light of day. I had hacked up things a bit to install with npm and this is PR is just the logic extracted from that work. I can undo the whitespace changes and the syntax issue to make it work with Yarn, but I think someone on your side will need to re-lock things as you said.

[erickzhao]

Thank you! Will give the business logic a review once that's ready. 🙇‍♂️

[SuperDisk]

Done! Let me know if there's anything else that needs changed. I updated p-limit to the latest-- I had specifically chosen that old version because I was running into weird module type issues, but I was building osx-sign in an unorthodox manner so it might be alright to use the latest.