The package-lock.json file is no longer in source control. As this is a library project, the lockfile never affected application code that used the SDK, but only affected the SDK's CI build. It is preferable for the CI build to refer only to package.json so that it resolves dependencies the same way an application using the SDK would, rather than using pinned dependencies that an application would not use. This also prevents incorrect results from security scanners that, if a lockfile is present, will look only at the dependency versions in the lockfile (that is, the versions that were available at the time that that file was generated) rather than those that are currently available.
[6.4.1] - 2022-03-28
Removed:
package-lock.json
file is no longer in source control. As this is a library project, the lockfile never affected application code that used the SDK, but only affected the SDK's CI build. It is preferable for the CI build to refer only topackage.json
so that it resolves dependencies the same way an application using the SDK would, rather than using pinned dependencies that an application would not use. This also prevents incorrect results from security scanners that, if a lockfile is present, will look only at the dependency versions in the lockfile (that is, the versions that were available at the time that that file was generated) rather than those that are currently available.