feat!: stop including npm-shrinkwrap.json (#8163)

#### Summary

Per https://docs.npmjs.com/cli/v11/configuring-npm/npm-shrinkwrap-json,
one of the intended use cases for `npm-shrinkwrap.json` is

> command-line tools intended as global installs or devDependencies

[For several years](#2223), this is
what we've done with Netlify CLI.

This has come with... some pushback:
#6731. Including from the creator
of NPM.

On one hand, ensuring dependencies are pinned makes installs
deterministic and *helps* with security by preventing certain classes of
supply chain vulnerabilities.

On the other hand, when vulnerabilities are disclosed and patched,
Netlify CLI users cannot benefit from those patches until Netlify CLI
maintainers specifically bump them and publish a new release. Users
can't even `npm audit fix`.

Also, pnpm, yarn, bun, and all package managers other than npm do not
respect `npm-shrinkwrap.json` anyway.

It also honestly adds some maintenance complexity for us. We have some
strange scripts needed to make this work, for example to exclude our own
dev dependencies from the file. We've encountered [some strange
shrinkwrap-specific bugs](#7769).
And reacting quickly to all the incoming CVEs is disruptive.

Also, in some cases users may lose out on potential dependency deduping
in their tree (and global caching on their machine, with some package
managers).

**✅ Verdict: remove it.**

Closes #6731

Co-authored-by: Eduardo Bouças <mail@eduardoboucas.com>

Author: serhalp

package.json

@@ -9,7 +9,6 @@
   },
   "files": [
     "/bin",
-    "/npm-shrinkwrap.json",
     "/scripts",
     "/functions-templates",
     "/dist"
@@ -52,7 +51,6 @@
     "test:integration": "vitest run --retry=3 tests/integration/",
     "test:unit": "vitest run tests/unit/",
     "postinstall": "node ./scripts/postinstall.js",
-    "prepublishOnly": "node ./scripts/prepublishOnly.js",
     "typecheck": "tsc",
     "typecheck:watch": "tsc --watch"
   },

scripts/netlifyPackage.js

@@ -1,9 +1,6 @@
 // @ts-check
-import assert from 'node:assert'
-import { dirname, resolve } from 'node:path'
-import { readFile, stat, writeFile } from 'node:fs/promises'
-
-import execa from 'execa'
+import { resolve } from 'node:path'
+import { readFile, writeFile } from 'node:fs/promises'
 
 /**
  * @import {Package} from "normalize-package-data"
@@ -35,34 +32,13 @@ async function preparePackageJSON() {
     ...packageJSON.contents,
     main: './dist/index.js',
     name: 'netlify',
-    scripts: {
-      ...packageJSON.contents.scripts,
-
-      // We don't need the pre-publish script because we expect the work in
-      // there to be done when publishing the `netlify-cli` package. We'll
-      // ensure this is the case by throwing if a shrinkwrap file isn't found.
-      prepublishOnly: undefined,
-    },
     bin: {
       npxnetlify: binPath,
     },
   }
 
-  try {
-    const shrinkwrap = await stat(resolve(packageJSON.path, '../npm-shrinkwrap.json'))
-
-    assert.ok(shrinkwrap.isFile())
-  } catch {
-    throw new Error('Failed to find npm-shrinkwrap.json file. Did you run the pre-publish script?')
-  }
-
   console.log(`Writing updated package.json to ${packageJSON.path}...`)
   await writeFile(packageJSON.path, `${JSON.stringify(newPackageJSON, null, 2)}\n`)
-
-  console.log('Regenerating shrinkwrap file with updated package name...')
-  await execa('npm', ['shrinkwrap'], {
-    cwd: dirname(packageJSON.path),
-  })
 }
 
 await preparePackageJSON()