Added a .npmrc to avoid generating a package-lock.json file

[sunesimonsen]

Added a .npmrc to avoid generating a package-lock.json file.

[sunesimonsen]

Thanks 😊

[jhpratt]

@kenchris @sunesimonsen For the record, this is a bad idea. A lockfile is intended to ensure reproducible builds, and is a security measure; if there's a security issue in a more recent version of a package, that issue isn't passed on (the lockfile ensures you install a specific version).

[sunesimonsen]

@jhpratt I'm aware why a lock file is useful, but I would normally only use if for applications and not for libraries. I would like libraries to be able to compose their version ranges without being too rigorous and have libraries tested against the latest versions of dependencies. Others agree. The lock file and your offline mirror in your application is going to prevent you from upgrading dependencies unknowingly.

That being said, with the currently security situation in NPM packages, we might want to also protect developers of this packages from installing updated dependencies as they potentially could include new security problems.

Another way of attacking this problem, would be to curate the dependencies of this library, keep the amount small and suggest that the authors uses 2FA for publishing. Don't know if this is a viable solution.

I'm of cause okay with adding a lock file, it should just be intentional, my PR was just hard coding the current configuration, as the repository didn't include a lock file.