build: Add and publish npm package lockfile

[jackylamhk]

• Add back package-lock.json to ensure every child dependency is pinned across local and CI.
• Generate npm-shrinkwrap.json to ensure the published package will install pinned child dependencies.

Seeing a recurring weird issue where an unpublished @aws-sdk/core version is requested during the short window AWS publishes new SDK versions.

[G-Rath]

Please don't use npm-shrinkwrap.json - it's horrible for downstream users and should not be used

[jackylamhk]

Please don't use npm-shrinkwrap.json - it's horrible for downstream users and should not be used

Probably the wrong forum to discuss this, but locking the entire dependency tree is the goal of this PR to introduce build reproducibility. I understand that it is horrible for library consumers, but this package is used as a standalone CLI tool anyway.

[G-Rath]

CLI tools like this should still be added as a dependency for applications, just like with eslint, prettier, lint-staged, and so on.

Using a lockfile gives build reproducibility, which is something that everyone should be doing.

Also worth pointing out that shrink wrapping is only respected by npm, so won't do anything for those using other package managers - from the issue you've described in the PR body, it sounds to me like adding a package-lock.json here should be sufficient.

(also ultimately what you've described sounds like a bug in the package manager itself, or the registry 🤷)

[mnapoli]

If we commit package-lock.json here it will never be updated. If you suggest a solution to that I'm fine adding package-lock.json.

this package is used as a standalone CLI tool anyway.

Keep in mind (as it's said above) that it's not distributed as a CLI but via NPM.