Allow packages to expose their entry points

[arcanis]

Describe the user story

I'm a package author, and I want to explicitly list the files that my users are allowed to require. I want to do this in order to prevent them from accessing my private files.

I'm a web architect, and I want a way to import packages installed through Yarn. This currently isn't possible because the Node resolution would require http requests to convert the lodash bare specifier into lodash/index.js.

Describe the solution you'd like

Packages would have access to a new entryPoints field that would list the files that users are allowed to require. If the user makes a require call to an unlisted file the PnP resolver would throw an exception.

As a side effect, because entryPoints would list all entry points, we would be able to simplify the Node folder & extension resolution by checking which entry exists within the array rather than by querying the file system - yielding unprecedented runtime resolution speed and opening up the possibility to use the Node resolution within browsers (since no http lookup would be required anymore).

Describe the drawbacks of your solution

Since this would affect how the .pnp.js file is generated, it would require us to add an additional field into the Package type (which would then have to be serialized in the lockfile).

Describe alternatives you've considered

The entryPoints could potentially be a more complex feature that would map a require name to a require path (for example "corejs/es5": "corejs/builds/es5.js"). This doesn't look a good idea as it would not work under different package managers that wouldn't use this standard.

Additional context

First referenced in yarnpkg/yarn#6945

[merceyz]

Closing as this is solved by using the exports field supported by node https://nodejs.org/api/packages.html#packages_exports and PnP support for this field is tracked in #650