fix(ship): sync package-lock.json version alongside package.json

[oharriehausen]

Problem

/ship Step 12 (carved into bin/gstack-version-bump by #1806) bumps VERSION and package.json's version but leaves package-lock.json's version field stale. Every JS-repo ship then carries a spurious 2-line package-lock.json diff, and npm ci warns on the version mismatch.

This is the same bug #1757 fixed against the old inline-bash surface. #1757 is now CONFLICTING because #1806 moved that code into the CLI, so it can't be merged as-is. This PR re-ports the fix onto the new CLI surface — it's what #1757 needs to become.

Fix

writeLockVersion() mirrors writePkgVersion()'s semantics:

• Silent skip when package-lock.json is absent (yarn/pnpm/bun/no JS).
• Malformed lockfile → exit 2, no corrupted write.
• I/O failure after package.json already written → exit 3 (half-write).
• Updates both top-level version and packages[""].version (lockfileVersion 3 stores the root version in two places).

Wired through both write (FRESH bump) and repair (DRIFT_STALE_PKG). The state classifier is intentionally untouched: a stale lockfile root version never blocks runtime, so it's opportunistically synced but is not a halt condition.

Tests

• 3 existing write/repair assertions updated for the new packageLock field.
• 3 new tests cover lockfile sync on write + repair plus the malformed-lockfile exit-2 guard.
• Full gstack-version-bump + ship-version-sync suites: 32 pass, 0 fail.

Built on top of v1.55.1.0 (c43c850); clean, no conflicts.

Closes the gap left by #1757.

[trunk-io]

Merging to main in this repository is managed by Trunk.

• To merge this pull request, check the box to the left or comment /trunk merge below.

After your PR is submitted to the merge queue, this comment will be automatically updated with its status. If the PR fails, failure details will also be posted here

[buddy7599bot]

Validated — this looks correct and is the canonical surface for the lockfile-sync fix. Confirming the lineage so triage is clean:

• fix(ship): sync package-lock.json alongside package.json in Step 12 #1757 (the original inline-bash fix) is now CLOSED and was CONFLICTING, and v1.54.0.0 feat: carve /ship into skeleton + on-demand sections (-59% always-loaded) #1806 (v1.54.0.0) merged, carving /ship Step 12 into bin/gstack-version-bump. So the old surface fix(ship): sync package-lock.json alongside package.json in Step 12 #1757 patched no longer exists — this PR is the correct re-port, not a competing duplicate.
• On current main, bin/gstack-version-bump has writePkgVersion() but no lockfile writer, so package-lock.json's version is left stale exactly as described — the bug reproduces.
• writeLockVersion() mirrors writePkgVersion()'s contract (silent skip when absent, malformed → exit 2, post-package.json I/O failure → exit 3) and updates both top-level version and packages[""].version, which is right for lockfileVersion 2/3.

No competing open PR found on this path. One small nicety (non-blocking): a test asserting the lockfile is left untouched when only VERSION/package.json exist (the yarn/pnpm/bun "no lockfile" path) would lock in the silent-skip behavior, if not already covered.