include package-lock.json, so that it could be easily shipped in e.g. nixos?

[farcaller]

Is your feature request related to a problem? Please describe.

It's not trivial to ship haraka in a reproducible build environments, as any given commit might be transitively broken by sporadic dependency changes.

Describe the solution you'd like

This is a bit of a reiteration on #2960. The problem is that it's not trivial to build haraka at a specific commit in e.g. nixos, as dependencies aren't locked. I checked the comments in #2960, and I'm pretty sure that the concerns in that one can be alleviated by dependabot.

Describe alternatives you've considered

1. Maintain a separate repository that keeps Haraka's lockfile out of the tree. I can set it up, but it's slightly annoying to depend on a third-party (myself) when it comes to haraka package in nixos.
2. Vendor the lockfile in nixpkgs. This is the current approach in haraka: init at 3.0.2 NixOS/nixpkgs#251994, but it will be harder to keep up with the new releases as the automation won't be able to bump the versions on its own.

[msimerson]

1. Maintain a separate repository that keeps Haraka's lockfile out of the tree. I can set it up, but it's slightly annoying to depend on a third-party (myself) when it comes to haraka package in nixos.

This is getting close to a decent idea. Instead, have a branch in the main repo that automatically generates the lock file and pushes the release (with lockfile) to that branch. Then have NixOS build from that branch. Or something fun like that, that's completely automatic.