maintenance: remove lockfile

[castarco]

In this MR, I fix two aspects of the pg-listen package:

• I remove the package-lock.json file from being tracked by git. Lockfiles make sense for applications, but can be dangerous for libraries:
  • as they can make it more difficult to upgrade transitive dependencies for package consumers.
  • and because it's easy to manipulate them bypassing code review process.

[xgalen]

Hey @castarco this project seems to be abandoned. Have you considered asking the author to let you manage it?

[castarco]

Hey @castarco this project seems to be abandoned. Have you considered asking the author to let you manage it?

Hi @xgalen , I didn't think about it. I have severe ADHD and I could burn out quickly being the sole maintainer of a package used by so many people. I see myself helping only if it keeps being a group endeavour.

[IlyaSemenov]

Please do not remove the lockfile. The original point is invalid — the lockfiles are not used by package consumers at all, only the library's package.json with its semvers is used. The lockfiles are only used when installing as a root project (i.e., when checking out this library for development).

Maintaining the lockfile is crucial for consistent environment during development, otherwise it may (and will) break. It is specifically intended to be committed: This file is intended to be committed into source repositories (docs.npmjs.com).

Even if the problem described in the original post were the case (it's not), it should have been resolved by properly using the "files" section in package.json (excluding the lock file from being published), not by gitignoring it.