Download private packages for Firefox code review

[aklinker1]

Feature Request

If your extension has private npm packages that require auth to upload, you don't want to share you token when generating sources.

We should download tarballs for all private packages, and update the zipped package.json to resolve to the local versions instead of the ones on the remote.

Private packages are any dependencies or sub-dependencies that start with a scope with a custom token in your .npmrc file.

Is your feature request related to a bug?

N/A

What are the alternatives?

Alternatively, we need to allow the .npmrc file to be zipped.

Additional context

N/A

[aklinker1]

This is a big feature that requires lots of steps to be done automatically:

1. Parse <root>/.npmrc for custom scopes
2. Parse <root>/.npmrc and ~/.npmrc to find auth
3. List all packages in the project
4. Filter down to a list that start with scopes with auth
5. Use npm view <package-name> --json | jq dist.tarball to grab the private package URLs
6. Download all the tarballs into .wxt/private-packages using this code
7. Copy all sources to a temp directory
8. Update the temp directory's package.json to resolve all the private packages to their local file path
9. Zip temp directory

So I'm gonna put this off since all my extensions either don't use private packages or use a "private" randomized URL, which doesn't need auth to access it.

Also, several of these steps require different logic for each package manager.