Use npm install if no lock files found

[hudochenkov]

We at stylelint faced a problem: we couldn't release with new npmpub 4, because we don't use package-lock.json. We don't use it, because we need to be sure, that users, who rely on SemVer, won't get breaking stylelint. (related discussion).

This PR allow npmpub to use npm install if no lockfiles are found. It removes breaking change from v4, while not break anything else.

[MoOx]

Looks good! Thanks for this

[MoOx]

I merged and released this but keep in mind that I think that not adding a lock file to your project is a mistake (see https://yarnpkg.com/blog/2016/11/24/lockfiles-for-all/)

[ntwb]

Thanks @MoOx, greatly appreciated, the reason stylelint does not have a lock file is because I'm opposed to packages using them:

via sindresorhus/ama#479 (comment)
"Lockfiles for apps, but not for packages"

[MoOx]

Problem of this argument is that it's working only at the time you publish or install stuff, as explained in the post above. So I consider it's not relevant enough for me. Most of the time "semver errors" happens, you don't see it on publish but when a user open an issue. And in this case lock file might help to quickly identify which package is the culprit with a simple git diff with a fresh lock file :)