chore(core): auto-update vendored lockdown.umd.js

[boneskull]

This changes the lint-staged configuration so that when package-lock.json is updated, the vendored packages/core/lib/lockdown.umd.js is copied from the currently-installed ses and added to the commit.

I'm not sure if this is something we want to be doing or not, but needing to run the lib:ses script in lavamoat-core after a ses upgrade is non-obvious for maintainers (me).

[legobeat]

Suggested change

	"lib:ses": "cp ../../node_modules/ses/dist/lockdown.umd.js ./lib/lockdown.umd.js && git add -A ./lib/lockdown.umd.js",
	"lib:ses": "cp ../../node_modules/ses/dist/lockdown.umd.js ./lib/lockdown.umd.js",

I think the package scripts like this shouldn't be modifying the local git environment, any drawback to moving it into the lint-script?

[boneskull]

sure (I had it this way originally but changed it for reasons that escape me)

[legobeat]

Suggested change

	'package-lock.json': () => ['npm run -w lavamoat-core lib:ses'],
	'package-lock.json': () => ['npm run -w lavamoat-core lib:ses && git add -A ./packages/core/lib/lockdown.umd.js'],

[legobeat]

I think the package scripts like this shouldn't be modifying the local git environment, any drawback to moving it into the lint-script?

[legobeat]

IMO a more proper solution would be to not have a copy checked into git at all - just vendor a copy from the package devDependency at build-time. And maybe add it to bundledDependencies?

Other than or until that, maybe giving a more helpful error message to the failing test here would also solve most of the need here, without additional magic in commit hooks?

[boneskull]

Yeah, I mean, why do we vendor lockdown.umd.js, anyway?

[boneskull]

Closing in lieu of a PR which removes it