Regenerate package-lock

[mtrezza]

trafficstars

New Feature / Enhancement Checklist

• [x] I am not disclosing a vulnerability.
• [x] I am not just asking a question.
• [x] I have searched through existing issues.

Current Limitation

It is currently undefined if and when package-lock.json should be completely regenerated.

The current approach seems to allow (partial) updates when:

• snyk updates
• a PR requires un-/install of a dependency

The limitations of that seem to be:

• snyk only updates for security vulnerabilities
• a PR requiring un-/install of a dependency comes along at irregular points in time and - if I'm not mistaken - does not regenerate the whole file.

The effect seem to be that sub-dependencies of packages that use range operators do not get updated. This is especially true for packages with low release frequency.

From a package deployment perspective, package-lock.json should be touched with care as it ensures a consistent dependency tree across deployments. However, from a package development perspective, regularly rebuilding package-lock.json seems a necessity due to the common use of range operators in dependencies.

Suggestion

Regularly completely regenerate package-lock.json in a dedicated PR. Possibly automated.