maint/deps ~ store package locks (for CI/dev reproducibility)

# [why]

When using the standard dependency install procedure (`npm install` or `yarn install`), a
new dependency tree will be created based on conditions at the time of installation. If
the project *and all it's dependencies* don't use strict, fully semver-compatible,
versioning then the built/tested project may be subtly different from some other
installation, even when reconstituted from exactly the same package code.

In practice, especially with a small number of simple dependencies, this may not be a
problem, but it can become one with larger code bases. So, as a hedge against dependency
drift, store package locks periodically (likely with each published version). The stored
locks can be used to generate a stable touchstone for development and testing.

To install identical development/CI environments, use `npm clean-install` (or `npm ci`).
The equivalent `yarn` command is `yarn install --immutable --immutable-cache --check-cache`.

ref: [Commit 'package-lock.json'?](https://stackoverflow.com/questions/44206782/do-i-commit-the-package-lock-json-file-created-by-npm-5)@@<https://archive.is/PN1P2>
ref: [Yarn equivalent of `npm ci`](https://stackoverflow.com/questions/58482655/what-is-the-closest-to-npm-ci-in-yarn)@@<https://archive.is/FlEf0>
ref: [Convert 'package-lock.json' to 'yarn.lock'](https://stackoverflow.com/questions/50093627/how-to-convert-package-lock-json-to-yarn-lock)@@<https://archive.is/t0QV0>