Add `package-lock.json` to the node-red repo


#1

I just cloned the node-red repo locally and noticed after running npm install that the package-lock.json has not been committed to master. It's considered a good practice to do this. Assuming you all have not previously decided NOT to add this file for a compelling reason, I am happy to submit a PR that adds this file.

Thanks!

Brandon


#2

Hi - one of the reasons we've avoided adding it in is because we have some dependencies where we want npm to pick the latest available version of the extra node-red nodes the core pulls in: https://github.com/node-red/node-red/blob/e03a0fffa9ea2b195d5acda5a8e918b148bce1b7/package.json#L63-L66

I believe if we introduce package-lock.json we'll lose that ability as it'll install the specific version in the lock file and not the latest that matches the semver in package.json - happy to be corrected if I'm wrong on it.

With the dev branch for 0.20, things get a more complicated as we now have 5 modules under the one repo - and the development process never runs npm install under each of those modules, so we don't get a package-lock file generated for them.

So it's something to look at, but not necessarily as simple as just checking one in.