Add package-lock.json

[benmccann]

When using npm 5 to build a package-lock.json file is created with the following message:

npm notice created a lockfile as package-lock.json. You should commit this file

[etimberg]

Looks good to me. @simonbrunel ?

[simonbrunel]

If I understand correctly, the package-lock.json only makes sense if:

• Travis is setup to build on Node.js 8 / npm 5 (not sure if it's supported yet),
• all contributors switch their environment to Node.js 8 (6.11.0 LTS is currently recommended),
• package-lock.json is not updated in every PR (what npm commands update this file?)

If we can't get Travis to use this package-lock.json file, then I would not add it to the repository because builds will not reflect the locked dependencies. And since most of the dependencies are dev, does it make really sense to lock these deps? I would rather use pinned versions for the 2 non dev dependencies we have (moment and chartjs-color) and git ignore this package-lock.json.

Don't you think that this file will finally generate more noise and work than benefits?

[benmccann]

package-lock.json doesn't require a certain version of Node. Only of npm

I use node 6 to build locally, which is the latest LTS as you've pointed out. I've sent a separate PR to update Travis to use node 6 instead of node 5

Travis uses npm 3 by default regardless of node version, so you're right that it's ignoring this file at the moment. For people who use npm 5 they're going to be continually bugged to check in this file. So it seems like we should either ask Travis to use npm 5 or maybe add this file to .gitignore?

[simonbrunel]

I'm still thinking it will bring more noise than benefits, so my personal choice would be to .gitignore it.

I suggested Node.js 8 because I think npm 5 comes bundled in that version (at least on Windows), but you right, it has nothing to do with the version of Node.js.

edit: seems I removed the .gitignore suggestion in my previous comment before posting

[simonbrunel]

@etimberg what do you think?

[etimberg]

I think it really depends on how often we update it. It's noisy if it's always updating

[benmccann]

I believe it will only update upon request or when package.json is updated.

However, I'm going to close this for now because I discovered there's a bug in npm's handling of this file that's a dealbreaker. I may reopen when the bug is fixed