feat: match npm semantics exactly for installs and updates

[Bubblyworld]

Currently some tests are failing due to the new behaviour, I'm still working my way through them. There's a script you can run at test/npm-compatibility/ that will test the behaviour of npm for updates/installs in a bunch of different scenarios, and tests that make sure the behaviour of the generator is aligned.

1. npm install <pkg> bumps the version of <pkg> to latest, and only bumps transitive dependencies if they're out of range.
2. npm update <pkg> has exactly the same behaviour as 1 in all tested cases.
3. npm install bumps the versions of anything that is out of range, but keeps versions of in-range primaries and secondaries.
4. npm update bumps the versions of everthing to latest.

The changes to latest that I've made:

1. the latest and freeze generator options have both been deprecated in favour of a ResolutionOptions object that you can optionally pass into install/link/update.
2. ResolutionsOptions contains mode, latestPrimaries, latestSecondaries and freeze fields. I had to split into the two cases for latest to make sure that npm install <pkg> doesn't bump secondaries, but does bump primaries.
3. When none of the latest/freeze resolution options are set, the default is to take existing locks whenever they are in range.

[Bubblyworld]

So I've replaced all of the free/latest/mode options and replaced them with a single mode parameter that controls existing locks:

1. "default" bumps out of range locks, but keeps in-range locks.
2. "latest-primaries" bumps primary locks, same behaviour as "default" for secondaries.
3. "latest-all" bumps all touched locks.
4. "freeze" uses existing locks whenever possible, even if they are out-of-range.