Regenerate package-lock

[mtrezza]

New Feature / Enhancement Checklist

• I am not disclosing a vulnerability.
• I am not just asking a question.
• I have searched through existing issues.

Current Limitation

It is currently undefined if and when package-lock.json should be completely regenerated.

The current approach seems to allow (partial) updates when:

• snyk updates
• a PR requires un-/install of a dependency

The limitations of that seem to be:

• snyk only updates for security vulnerabilities
• a PR requiring un-/install of a dependency comes along at irregular points in time and - if I'm not mistaken - does not regenerate the whole file.

The effect seem to be that sub-dependencies of packages that use range operators do not get updated. This is especially true for packages with low release frequency.

From a package deployment perspective, package-lock.json should be touched with care as it ensures a consistent dependency tree across deployments. However, from a package development perspective, regularly rebuilding package-lock.json seems a necessity due to the common use of range operators in dependencies.

Suggestion

Regularly completely regenerate package-lock.json in a dedicated PR. Possibly automated.

[mtrezza]

@dplewis @davimacedo What's your take on this?

[davimacedo]

We use to manually update it every time we create a new release. Maybe we could add this step to the ci process. Updating it at each release would be probably enough, right?

[mtrezza]

Yes, I think so. Adding to the CI is a good idea.