Aren't you mixing up two things here; committing to a source code repository, and publishing to a registry?
npm pack strips out package-lock.json for publishing. But I believe that even if there were package-lock.json files in dependencies, npm install ignores any but the top-level one, anyway. It wouldn't make sense conceptually to consider them, because if you successfully lock down your dependency versions from your root, you implicitly lock them for all dependencies further down the tree, as well.
On the other hand, nothing speaks against publishing package-lock.json with the source code. In fact, that's half of the reasons for its existence. Because it only has an effect if it's the top-level package, it will help library developers with its intended purpose, while not affecting library consumers.
Please correct me if I'm misunderstanding something here!
For further actions, you may consider blocking this person and/or reporting abuse
We're a place where coders share, stay up-to-date and grow their careers.
Aren't you mixing up two things here; committing to a source code repository, and publishing to a registry?
npm packstrips outpackage-lock.jsonfor publishing. But I believe that even if there werepackage-lock.jsonfiles in dependencies,npm installignores any but the top-level one, anyway. It wouldn't make sense conceptually to consider them, because if you successfully lock down your dependency versions from your root, you implicitly lock them for all dependencies further down the tree, as well.On the other hand, nothing speaks against publishing
package-lock.jsonwith the source code. In fact, that's half of the reasons for its existence. Because it only has an effect if it's the top-level package, it will help library developers with its intended purpose, while not affecting library consumers.Please correct me if I'm misunderstanding something here!