Vulns determination does not respect `npm-shrinkwrap.json`

[serhalp]

Describe the bug

See https://docs.npmjs.com/cli/v11/configuring-npm/npm-shrinkwrap-json if you aren't familiar with the semantics of npm-shrinkwrap.json.

If a package is published with an npm-shrinkwrap.json, those dependency resolutions must be respected when determining which security vulnerabilities the release contains; otherwise this will not reflect what users experience in reality.

For example, https://npmx.dev/package/netlify-cli/v/23.15.0 reports 0 vulns, but try mkdir foo && cd foo && npm init -y && npm i netlify-cli@23.15.0 && npm audit and you'll see 5 vulnerabilities (1 moderate, 4 high).

... Now where this gets hairy is that pnpm, yarn, and bun all do not respect npm-shrinkwrap.json, so for users of those package managers the current behaviour is "correct".

Additional context

I'm not quite sure what we should do about this...