Validate npm update lockfiles

[dale-lakes]

Summary

• validate npm update results with npm install --package-lock-only --ignore-scripts
• restore package.json, package-lock.json, and npm-shrinkwrap.json when npm accepts an update that npm install later rejects
• leave pnpm, yarn, and bun update behavior unchanged

Root Cause

vp update delegates npm projects to npm update, while vp install delegates to npm install. npm can update the lockfile into a graph that npm install later rejects for peer dependency resolution, so vp update && vp install can fail after vp update reports success.

Repro Used

A minimal npm project with:

• storybook@^10.3.5
• @storybook/react-vite@^10.3.5
• vite-plus@^0.2.0

The starting lockfile resolves Storybook 10.3.5 and Vite+ 0.2.0. That starting graph is valid because storybook@10.3.5 has no vite-plus peer dependency; its peer dependencies are only optional prettier.

Current npm update floats the lockfile to Storybook 10.4.6 and Vite+ 0.2.1, but Storybook 10.4.6 adds optional peer vite-plus@^0.1.15, so the subsequent install rejects the lockfile with ERESOLVE.

This is structural to Storybook's declared peer range, not just a patch float problem: semver ^0.1.15 accepts 0.1.x only and does not include 0.2.0 or 0.2.1.

With this patch, the same repro makes vp update exit 1, restores the lockfile to Storybook 10.3.5 / Vite+ 0.2.0, and npm install --package-lock-only --ignore-scripts succeeds afterward.

Fixes #1926

Validation

• cargo fmt --all --check
• RUST_MIN_STACK=8388608 cargo test -p vite_install
• cargo clippy -p vite_install --all-targets --all-features -- --deny warnings -A clippy::byte_char_slices -A clippy::manual_assert_eq -A clippy::needless_return_with_question_mark -A clippy::unused_async_trait_impl -A clippy::useless_borrows_in_formatting
• local Storybook repro against target/debug/vp update

[netlify]

✅ Deploy Preview for viteplus-preview canceled.

Name	Link
🔨 Latest commit	bec6648
🔍 Latest deploy log	https://app.netlify.com/projects/viteplus-preview/deploys/6a3aaa9de45686000822e201

[dale-lakes]

Closing this PR after narrowing the root cause. vp update and vp install are wrapping npm here; the raw npm commands reproduce the same invalid-lockfile behavior, so this should be fixed/tracked in npm rather than patched in Vite+.