[feature request] prevent including unnecessary files in the deployed package

We should consider adding the `"files"` stanza to the `package.json` to create an explicit allowlist and prevent deploying any unnecessary files to the npm registry as part of our package. This would be preferable to using a `.npmignore` file, which we have been doing so far but is expected to quickly become unmanageable as more files are added.