Switch to npm `install-strategy=linked`

What problem does this address?

Gutenberg publishes 80+ packages to npm. These packages work in the monorepo but frequently break for external consumers because npm's default hoisted strategy lets packages import anything that happens to be installed at the root — even undeclared dependencies. Tests pass, CI is green, the PR gets merged, and then someone installs @wordpress/block-editor in their project and gets Cannot find module.

This isn't hypothetical. A research report found 60+ issues spanning 6 years — all tracing back to this root cause: missing dependencies on react, @babel/runtime, other @wordpress/* packages, ESLint plugins, and third-party packages.

Background

The preferred solution is to switch to pnpm, which enforces strict dependency isolation and also provides supply chain security features (build script controls, release age delays, trust policies) that npm lacks entirely. A ready-to-merge PR and a community discussion exist for this. However, the community has requested a Make Core proposal, which is still under review.

In the meantime, npm's install-strategy=linked offers a temporary workaround that catches phantom dependencies without switching package managers. It installs all packages into a flat .store directory inside node_modules, then creates symlinks and hardlinks to the correct locations. Each package can only resolve its own declared dependencies — similar to pnpm's isolation model. Note that workspace packages can still access dependencies declared in the root package.json, because Node's module resolution algorithm traverses up the directory tree. This is not specific to the linked strategy — it's how Node works. A [parallel effort](https: