Provide a package-lock.json for packages that contain NPM dependencies

[jankapunkt]

A description of the problem you're trying to solve, including why you think this is a problem

The GitHub security alert graph picks up security related issues, based on the dependency graph which itself targets package-lock.json.

Unfortunately, when installing NPM dependencies to a Meteor package, this will only create a .npm folder including a npm-shrinkwrap.jsonwhich is similar but is not catched up by the dependency graph.

Creating an additional package-lock.json could add automated package security scans for packages that depend on vulnerable NPM packages.

An overview of the suggested solution

The package build should create a package-lock.json (but not a package.json) in the top-level of a package folder when publishing. It may or may not also add this package-lock.json as entry to an existing or creating a new .meteorignore

If the feature changes current behavior, reasons why your solution is better

This remains a question, whether it changes current behavior.

[StorytellerCZ]

Creating the package-lock.json by itself should be possible, but since GitHub offers automatic fixes in the file it should probably also be effective in some way so that the applied security patches have effect.