Excluded version from package-lock hash

[LinusU]

First of all, thanks for this great package! This is definitely something that is needed in the eco system.

I was curious what the cache was keyed on and starting reading the source. I see that you hash the lock file which is great, without it the cache can easily balloon in size as package versions are bumped, and the old cache is always retained 😅

There is one annoying thing with the package-lock format though, it includes the version of the app itself. That means that the cache will be invalidated not only when the dependencies change, but when the version of the app/library changes.

In another tool, I've worked around this by always setting the root version property in package-lock to 0.0.0, which lets the (in that case Docker) cache work across version bumps:

https://github.com/LinusU/scandium/blob/2d6eb942f7c10f1d5c91b71b31dd542f335ad142/lib/builder.js#L37-L38

How would you feel about doing something similar here?

I'm thinking something like:

const packageLockData = JSON.parse(fs.readFileSync('package-lock.json'))
const packageLockHash = hasha.fromString(JSON.stringify({ ...packageLockData, version: '0.0.0' }))

I'd be happy to submit a PR 🚀

[felixmosh]

Due to this issue I have cache miss every build :|, pls let's fix it 🙏🏼