[CI] lock dependencies while build release and docker image

[jiqiang90]

Prerequisites

• [ ] Are you running the latest version(s)?
• [ ] Have you searched the documentation for your issue?
• [ ] Did you search for an existing issue or pull request?

Description

Since when we publish npm package and uploaded filed doesn't include any lock file (yarn.lock or package.json.lock), we are facing a risk of dependencies bump, so even in locally dev environment everything works but might not work with package.

Details

These details can help to reproduce the environment the issue is occurring

Local Environment: [You can get this information from executing subql version.] Query Version: [What is the version of the query service?] Indexer Version: [What is the version of the indexer service?] Network Details:

• [Network]
• [Block height, a block height where the issue is happening]
• [Dictionary endpoint, if used]

Steps to Reproduce

1. [First Step]
2. [Second Step]
3. [and so on...]

Example project: [A link to a minimal example that can reproduce the issue]

Expected behavior: [What you expected to happen]

Actual behavior: [What actually happened]

Any other information

Is there any other information you would like to add?

[jiqiang90]

Duplicate with https://github.com/subquery/subql/issues/484

[stwiname]

I don't think this is a good idea. There's no way to have lock files with npm packages and they don't allow it for a reason.

package.json supports version ranges for a reason so that dependencies can release bug fixes and not have to publish releases of downstream packages.

Unfortunately this leads to a difference between development, docker and npm package dependencies.

We also only maintain yarn.lock but not a package-lock.json and because we can't control what package manager a user would install from I don't think it makes sense to use a lock file.