feat!: drop npm-shrinkwrap.json support

BREAKING CHANGE: `npm shrinkwrap` is removed, the `shrinkwrap` config alias is removed, and `npm-shrinkwrap.json` is no longer loaded or honored at the project root or from inside dependency tarballs. Rename project-root `npm-shrinkwrap.json` to `package-lock.json`; use `bundleDependencies` if you need to ship a locked dependency tree.

Author: owlstronaut

docs/lib/build.js

@@ -105,7 +105,6 @@ const generateNav = async (contentPath, navPath) => {
     '/configuring-npm/install',
     '/configuring-npm/folders',
     '/configuring-npm/npmrc',
-    '/configuring-npm/npm-shrinkwrap-json',
     '/configuring-npm/package-json',
     '/configuring-npm/package-lock-json',
   ]

docs/lib/content/commands/npm-audit.md

@@ -25,7 +25,7 @@ This option does not filter the report output, it simply changes the command's f
 
 ### Package lock
 
-By default npm requires a package-lock or shrinkwrap in order to run the audit.
+By default npm requires a package-lock in order to run the audit.
 You can bypass the package lock with `--no-package-lock` but be aware the results may be different with every run, since npm will re-build the dependency tree each time.
 
 ### Audit Signatures

docs/lib/content/commands/npm-ci.md

@@ -14,13 +14,12 @@ This command is similar to [`npm install`](/commands/npm-install), except it's m
 
 The main differences between using `npm install` and `npm ci` are:
 
-* The project **must** have an existing `package-lock.json` or
-  `npm-shrinkwrap.json`.
+* The project **must** have an existing `package-lock.json`.
 * If dependencies in the package lock do not match those in `package.json`,
   `npm ci` will exit with an error, instead of updating the package lock.
 * `npm ci` can only install entire projects at a time: individual dependencies cannot be added with this command.
 * If a `node_modules` is already present, it will be automatically removed before `npm ci` begins its install.
-* It will never write to `package.json` or any of the package-locks:
+* It will never write to `package.json` or `package-lock.json`:
   installs are essentially frozen.
 
 NOTE: If you create your `package-lock.json` file by running `npm install` with flags that can affect the shape of your dependency tree, such as

docs/lib/content/commands/npm-install.md

@@ -11,13 +11,12 @@ description: Install a package
 ### Description
 
 This command installs a package and any packages that it depends on.
-If the package has a package-lock, or an npm shrinkwrap file, or a yarn lock file, the installation of dependencies will be driven by that, respecting the following order of precedence:
+If the package has a package-lock or a yarn lock file, the installation of dependencies will be driven by that, respecting the following order of precedence:
 
-* `npm-shrinkwrap.json`
 * `package-lock.json`
 * `yarn.lock`
 
-See [package-lock.json](/configuring-npm/package-lock-json) and [`npm shrinkwrap`](/commands/npm-shrinkwrap).
+See [package-lock.json](/configuring-npm/package-lock-json).
 
 #### How `npm install` uses `package-lock.json`
 
@@ -136,7 +135,7 @@ Even if you never publish your package, you can still get a lot of benefits of u
 
     * `-B, --save-bundle`: Saved dependencies will also be added to your `bundleDependencies` list.
 
-    Further, if you have an `npm-shrinkwrap.json` or `package-lock.json` then it will be updated as well.
+    Further, if you have a `package-lock.json` then it will be updated as well.
 
     `<scope>` is optional.
     The package will be downloaded from the registry associated with the specified scope.
@@ -402,6 +401,5 @@ See [folders](/configuring-npm/folders) for a more detailed description of the s
 * [npm registry](/using-npm/registry)
 * [npm dist-tag](/commands/npm-dist-tag)
 * [npm uninstall](/commands/npm-uninstall)
-* [npm shrinkwrap](/commands/npm-shrinkwrap)
 * [package.json](/configuring-npm/package-json)
 * [workspaces](/using-npm/workspaces)

docs/lib/content/commands/npm-query.md

@@ -152,7 +152,7 @@ $ npm query ':root>:outdated(in-range).prod' --no-expect-results
 
 ### Package lock only mode
 
-If package-lock-only is enabled, only the information in the package lock (or shrinkwrap) is loaded.
+If package-lock-only is enabled, only the information in the package lock is loaded.
 This means that information from the package.json files of your dependencies will not be included in the result set (e.g. description, homepage, engines).
 
 ### Configuration

docs/lib/content/commands/npm-sbom.md

@@ -205,7 +205,7 @@ SBOMs can be generated in either [SPDX](https://spdx.dev/) or [CycloneDX](https:
 
 ### Package lock only mode
 
-If package-lock-only is enabled, only the information in the package lock (or shrinkwrap) is loaded.
+If package-lock-only is enabled, only the information in the package lock is loaded.
 This means that information from the package.json files of your dependencies will not be included in the result set (e.g.
 description, homepage, engines).
 

docs/lib/content/commands/npm-shrinkwrap.md

@@ -15,11 +15,11 @@ This uninstalls a package, completely removing everything npm installed on its b
 It also removes the package from the `dependencies`, `devDependencies`,
 `optionalDependencies`, and `peerDependencies` objects in your `package.json`.
 
-Further, if you have an `npm-shrinkwrap.json` or `package-lock.json`, npm will update those files as well.
+Further, if you have a `package-lock.json`, npm will update that file as well.
 
-`--no-save` will tell npm not to remove the package from your `package.json`, `npm-shrinkwrap.json`, or `package-lock.json` files.
+`--no-save` will tell npm not to remove the package from your `package.json` or `package-lock.json` files.
 
-`--save` or `-S` will tell npm to remove the package from your `package.json`, `npm-shrinkwrap.json`, and `package-lock.json` files.
+`--save` or `-S` will tell npm to remove the package from your `package.json` and `package-lock.json` files.
 This is the default, but you may need to use this if you have for instance `save=false` in your `npmrc` file
 
 In global mode (ie, with `-g` or `--global` appended to the command), it uninstalls the current package context as a global package.
@@ -33,14 +33,14 @@ Scope is optional and follows the usual rules for [`scope`](/using-npm/scope).
 npm uninstall sax
 ```
 
-`sax` will no longer be in your `package.json`, `npm-shrinkwrap.json`, or `package-lock.json` files.
+`sax` will no longer be in your `package.json` or `package-lock.json` files.
 
 ```bash
 npm uninstall lodash --no-save
 ```
 
-`lodash` will not be removed from your `package.json`,
-`npm-shrinkwrap.json`, or `package-lock.json` files.
+`lodash` will not be removed from your `package.json` or
+`package-lock.json` files.
 
 ### Configuration
 

docs/lib/content/commands/npm-uninstall.md

@@ -141,7 +141,6 @@ NOTE: If a package has been upgraded to a version newer than `latest`, it will b
 
 * [npm install](/commands/npm-install)
 * [npm outdated](/commands/npm-outdated)
-* [npm shrinkwrap](/commands/npm-shrinkwrap)
 * [npm registry](/using-npm/registry)
 * [npm folders](/configuring-npm/folders)
 * [npm ls](/commands/npm-ls)

docs/lib/content/commands/npm-update.md

@@ -14,8 +14,7 @@ description: Bump a package version
 
 ### Description
 
-Run this in a package directory to bump the version and write the new data back to `package.json`, `package-lock.json`, and, if present,
-`npm-shrinkwrap.json`.
+Run this in a package directory to bump the version and write the new data back to `package.json` and `package-lock.json`.
 
 The `newversion` argument should be a valid semver string, a valid second argument to [semver.inc](https://github.com/npm/node-semver#functions) (one of `patch`, `minor`, `major`, `prepatch`, `preminor`, `premajor`, `prerelease`), or `from-git`.
 In the second case, the existing version will be incremented by 1 in the specified field.