Bug: npm let us use undeclared (in package.json) dependencies

Is there a serious showstopper reason to not be using pnpm yet? (jump to the end to see about the bug from the title of this issue)

For all these excerpts, assume $ rm -rf node_modules/ has been run prior to the timed command.
First run was without lock file and second run was always with lock file.
Verification made while standing on HEAD, which currently is commit f54dbcd

npm

First run: ~55 seconds

$ time npm ci

added 1261 packages, and audited 1262 packages in 54s

10 vulnerabilities (9 moderate, 1 high)

To address issues that do not require attention, run:
  npm audit fix

To address all issues (including breaking changes), run:
  npm audit fix --force

Run `npm audit` for details.

real    0m54,574s
user    0m18,137s
sys     0m15,546s

Second run: ~20 seconds

$ time npm ci
[redacted...]
real    0m19,637s
user    0m11,526s
sys     0m8,368s

pnpm

First run: ~40 seconds

$ time pnpm i
Packages: +1168
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Progress: resolved 1232, reused 1167, downloaded 0, added 1168, done

[redacted...]

Done in 39.5s

real    0m39,637s
user    0m16,913s
sys     0m14,826s

Second run: ~3 seconds

$ time pnpm i
[redacted...]
Done in 2.7s

real    0m2,802s
user    0m8,708s
sys     0m2,670s

yarn

First run: ~113 seconds

$ time yarn install
yarn install v1.22.21
info No lockfile found.
[1/5] Validating package.json...
[2/5] Resolving packages...
[3/5] Fetching packages...
[4/5] Linking dependencies...
warning "@docsearch/react > @algolia/autocomplete-preset-algolia@1.9.3" has unmet peer dependency "@algolia/client-search@>= 4.9.1 < 6".
warning "@docsearch/react > @algolia/autocomplete-core > @algolia/autocomplete-plugin-algolia-insights@1.9.3" has unmet peer dependency "search-insights@>= 1 < 3".
warning "@docsearch/react > @algolia/autocomplete-core > @algolia/autocomplete-shared@1.9.3" has unmet peer dependency "@algolia/client-search@>= 4.9.1 < 6".
warning " > @remix-run/v1-meta@0.1.3" has unmet peer dependency "@remix-run/server-runtime@^1.15.0 || ^2.0.0".
[5/5] Building fresh packages...
success Saved lockfile.
Done in 112.08s.

real    1m52,302s
user    0m17,545s
sys     0m4,605s

Second run: ~7 seconds

$ time yarn install

Done in 6.84s.

real    0m7,085s
user    0m8,749s
sys     0m10,127s

Other considerations

npm requires audit npm shows "10 vulnerabilities (9 moderate, 1 high)". After running npm audit fix we are left still with "9 moderate severity vulnerabilities". Finally npm audit fix --force gets ride of all the warnings, however it requires further analysis as some packages needed a SemVer major change.

pnpm produces a clean installation without warnings. However after installing I run pnpm audit just in case, and it found only one vulnerability:
```
$ pnpm audit
[redacted]
moderate │ xml2js is vulnerable to prototype pollution
```
yarn leave us with "unmet peer dependencies"
both yarn and npm let us use undeclared dependencies Whether we install and run with yarn or npm, the server starts and runs ok. However, if we install our dependencies with pnpm, and run the server, we encounter this bug:

Error: Cannot find module 'react-router-dom' imported from 'app/routes/docs.$lang.$ref.tsx'

This happens because the way both yarn and npm resolve peer dependencies, which is wrong, as it let us use packages that we haven't explicitly declared in our package.json.

I vote we jump head first to start using pnpm. If no arguments against are given, I'll do the PR.

remix-run / remix-website