expose metadata about whether a package was published with 2FA

Packages published with 2FA are more trustworthy than packages that were not.

It would be useful to identify in package trees which packages were not published with 2FA/which maintainers are not using 2FA. I’m not saying that npm audit should consider them less trustworthy, but external tools would be able to leverage this information to enforce their own policies.

Related: https://github.com/nodejs/security-wg/issues/533