consider committing a package-lock.json file

Without a package-lock.json, running `npm i` in a checkout can come up with different versions of dependencies.

Especially when checking out tagged commits, there should be an up2date package-lock.json, so the same artifacts as on PyPi can be reproduced.