Investigate how to lock versions of client-side Vaadin platform dependencies with npm

[haijian-vaadin]

Vaadin chose to use pnpm over npm mostly because of 2 reasons:

1. performance, but this doesn't hold any more, see details in #9835
2. to lock the versions. This hasn't been verified yet. But with 9952, this might be doable.

We should find tickets related to version pin tickets to make sure we don't introduce regressions (search by error messages like dom-module, fsevents etc).

Let's timebox the investigation to 3 days, after which the findings should be documented. This is the prerequisite for other tasks in Epic 9986

[joheriks]

Primary challenge with npm is how to pin the versions of components and mixins. The following options are on the table:

1. Do nothing and keep working as now in npm mode. Apps that worked with pnpm may break if they rely on add-ons that depend on a fixed version rather than a compatible range. Flow could detect if multiple versions of a platform package or a dependency that must be resolved uniquely (e.g. @polymer/polymer) are installed and throw an error.
2. Parse and update package-lock.json to pin the versions of all platform packages in the transitive dependencies (essentially doing the pnpm readPackage hook’s job from Java).
3. Rely on an external package, such as npm-force-resolutions, for option 2.
4. Wait for npm to gain resolution feature (this is in the works, see: RFC: overrides npm/rfcs#129)

More background and explanation:
https://docs.google.com/document/d/1idJi_6iodCuXlB80zjqyZhM_4RBRQaBAPD45SD_6LFI

[vlukashov]

Thanks for a thorough investigation!