Fix error due to dependency on @npmcli/arborist #25

[hiro5id]

• I have remove dependency on @npmcli/arborist.
• I have extracted the necesary code from arborist that is now no longer available in the latest version of arborist. I could have used @npmcli/package-json which is what latest version of arborist is using now, but that does not behave the same way as the old code, which does not alter the package.json sort order of the properties.

[ultrr]

Actually, why is there a need of sorting the package.json? In my opinion, audit command should not change anything except versions of packages, especially when run with '--no-fix' parameter.

[svettwer]

@ultrr The original problem was that we did not touch the order of the dependencies but it just occurred that we removed new lines at the end of the package.json files because we changed the files by using simply fs. This was changed by #19 due to #15.
I think we introduced more problems that we had before, because now we are talking about reordering dependencies. 😂

To be honest, I don't want to add code that introduces some ordering etc. This would lead to more discussions on the long run for sure. Using dependencies performing certain tasks is one thing but if we add such code to the lib, we would have to maintain it, think about what should be done and what not etc. This would lead to effort which is not in scope of this lib in my opinion.

Nevertheless, we have to get rid of the arborist dependency.

[hiro5id]

Actually, why is there a need of sorting the package.json? In my opinion, audit command should not change anything except versions of packages, especially when run with '--no-fix' parameter.

@ultrr correct me if I'm wrong but I thought that npm install also causes package dependencies to be re-sorted in package.json alphabeticaly if they are not already. I think this project's maintainers thinking to use arborist was to mimic that same behaviour.

[svettwer]

Hi 👋

I finally found some time to finalize my work on that topic. Long story short: I removed arborist again. That solves the dependency error. In addition, I added some logic to consider basic formatting information of the input files, when writing audited files. That might not be perfect but it does not add so much code to maintain over time.