Remove yarn.lock and prevent it from being recommitted for the JupyterLab extension. While the merits of its existence in a repo is a highly debated topic in the JS community, it serves little purpose for us particularly in this phase of active development and causes security advisories that do not actually affect users of the extension. In the user flow the latest matching dependencies in package.json are used which typically do not have the potential security issue (note that if they did we would still get alerts about it as package.json is indepedently scanned). In our environment, yarn.lock only affects developers building "from source" and its presence documents a "last known good configuration", but given the size of our contributor base this isn't much of a value add and is causing more hassle than utility.
Remove
yarn.lockand prevent it from being recommitted for the JupyterLab extension. While the merits of its existence in a repo is a highly debated topic in the JS community, it serves little purpose for us particularly in this phase of active development and causes security advisories that do not actually affect users of the extension. In the user flow the latest matching dependencies inpackage.jsonare used which typically do not have the potential security issue (note that if they did we would still get alerts about it aspackage.jsonis indepedently scanned). In our environment,yarn.lockonly affects developers building "from source" and its presence documents a "last known good configuration", but given the size of our contributor base this isn't much of a value add and is causing more hassle than utility.