1.3.0's `file:vendor/xlsx-0.20.3.tgz` dep spec hit a known
Windows-npm bug where `file:` deps inside a globally-installed
published package fail to resolve. The user saw:

  npm warn tarball … (null) seems to be corrupted. Trying again.
  …
  npm error ENOENT … \vendor\xlsx-0.20.3.tgz

The inner tarball ships correctly inside the published outer
tarball (byte-identical SHA-256 verified), but the Windows
file: resolver never reads it.

Fix: add `bundleDependencies: ["xlsx"]`. npm pack now bundles
the pre-extracted `node_modules/xlsx/` (26 files) directly
inside the published @cmetech/otto tarball. End-user installs
no longer go through the file: resolver — npm sees xlsx is
already populated in node_modules and skips dep resolution.

SheetJS is pure JavaScript (os: any, cpu: any, no native
bindings) so one bundled copy works on all platforms.

The file:vendor/... dep spec is preserved for local dev; the
SHA-drift guard and prepublish verifier are unchanged.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>