Request to remove "package-lock.json" to allow consumers to install the latest security fixes for all transitive dependencies based on semvers defined in "package.json"

[mpawlow]

Overview

• The package-lock.json is locking down library versions for all transitive (child) dependencies in the hierarchy
• Problem: This prevents the consuming service that is installing this library to automatically pick-up the latest security fixes based on the semvers defined in package.json and all child dependencies
  • e.g. We typically run npm update to pull in the latest library versions
  • Also, it defeats the npm tree-shaking mechanism to consolidate duplicate library versions into single version based on semver restrictions
• Note: Including package-lock.json at the library level doesn't seem to be an industry standard or best practice based on the most popular Node libraries in the ecosystem
• From a DevOps perspective, only top level services that include these libraries should define a package-lock.json when deploying the app to different environments (DEV, QA, PROD)
• Solution: The request is to simply remove and do not generate the package-lock.json file

Related Issues (regarding packaging)

• move some dependencies to devdependencies #266
• SDK pulls in development level dependencies for production #174

[mpawlow]

Confirmed that the library is published without the package-lock.json file (in the node_modules directory)

Closing as Invalid