This means we can use tools like "npm audit" to look for security
vulnerabilities we definitely need to fix as they could pose a
direct risk to users. I've checked each of them with @tombye and
also against an external set of principles [^1].
Note: I've skimmed through the package-lock.json to check the only
changes are to add "dev: true", as well as a few integrity hashes.
[^1]: https://betterprogramming.pub/is-this-a-dependency-or-a-devdependency-678e04a55a5c
Creates a "v2" package-lock.json file for consistent dependency
installation.
Lock file created using `npm i --package-lock-only`
Signed-off-by: Richard Baker <richard.baker@digital.cabinet-office.gov.uk>
I don’t think we’re getting any benefit from it. Especially since we’re
not running any Node code in production, but just using it to build the
frontend.
The downside is we keep getting these massive diffs which means we don’t
get an accurate line count on pull requests.
Followed instructions here:
https://codeburst.io/disabling-package-lock-json-6be662f5b97d
`package-lock.json` is a file that newer versions of NPM generated
when installing dependencies.
> It describes the exact tree that was generated, such that
> subsequent installs are able to generate identical trees,
> regardless of intermediate dependency updates.
> This file is intended to be committed into source repositories.
– https://docs.npmjs.com/files/package-lock.json
