[RRFC] `npm explain` should work even absent a lockfile and node_modules

[ljharb]

Motivation ("The Why")

For example, https://github.com/npm/cli/issues/4311#issuecomment-1030707030 - when the first (ever, or first locally on a project without a lockfile) install fails, there's no lockfile and no node_modules, and no way to know why something's attempting to be installed.

Arborist has the ability to load the ideal tree in this circumstance, so there's no technical barrier I'm aware of that prevents this command from working.

Example

Solely from a package.json, npm explain foo would work without requiring a lockfile, or reified dependencies.

How

Current Behaviour

When I run npm explain foo without a lockfile or node_modules present, i get npm ERR! No dependencies found matching foo.

Desired Behaviour

I'd expect to get the same result as when either are present - the actual explanation of where foo comes from.

(If this seems like something simple enough to not require an RFC, i'd be happy to make a PR to add it)

[ljharb]

Per discussion, one possible pitfall might be that the ideal tree in arborist may fail to account for bundled deps.

[ruyadorno]

Also let's fix the support to package-lock-only, e.g: npm explain foo --package-lock-only - since that should be feasible using Arborist.loadVirtual - that can probably just be an issue open in the cli repo.

A proposed enhancement is to use loadVirtual by default in case a lock file is available but then WARN that displayed results might differ from a final reified tree.