Lack of package-lock.json is effectively removing a key supply chain security feature

[the-gabe]

In https://github.com/google/docsy/pull/920 it has been discussed that there will be no package-lock.json I would strongly urge for this to be reconsidered, given that a package-lock.json is responsible for distrusting npmjs.org on a TOFU basis. It is a fundamental important security feature to have a package-lock.json, otherwise blindly trusting what is on npmjs.org, every single time "npm install" is executed seems like just an objectively bad idea.