Only include lib dependencies in package

[Rich-Harris]

Describe the problem

Moving #2884 (comment) into its own issue. If a repo contains both an app and a package, it's quite possible for package.json to contain dependencies that are only relevant to the app. These get copied into package/package.json on svelte-kit package.

Describe the proposed solution

It'd be nice if the generated package.json only included the dependencies that were referenced in lib.

Alternatives considered

Give users manual control over the package.json. Would make a good all-purpose escape hatch, but is very much a case of forcing the human to do the computer's job.

Importance

nice to have

Additional Information

No response

[paperdave]

i've been looking into how an implementation would look, and it seems related logic was done in #2453 with replacing $lib imports. though that implementation uses some regular expressions, which many commented on how it wasn't ideal, but it was merged due to importance. I think the ideal solution would be a single pass that parses the js/svelte file to do the analysis of this issue and the modification of the alias resolving (finishing alias resolving could be related to #4734 which i was looking into as well).

for the short term i could go and quickly throw together some regex based solution, but since this isn't as important, it might be more valuable to implement it correctly, but i'm unsure what tools/method I should use for that.

if you have any ideas on how proper parsing of files would go, i'd love to take a stab at implementing this, and maybe even fix up the aliasing stuff (or should the latter be a separate PR after?)

[dummdidumm]

In the spirit of #8825 I think that we shouldn't do this and instead educate people what to put where.