paulmillr
commented
2 years ago Absolutely not. I have removed lockfiles from all my repositories, because Dependabot and other useless bots, and blind people were spamming me about "security vulnerabilities", which are not vulnerabilities, etc. They don't care if it's devdeps, or not devdeps.
Most people use npm packages instead of github repo directly, so this would bring no benefit to them. The commits are signed by me in any case.
This allows build systems and auditors to do
npm ciinstead ofnpm install, which will validate that the dependencies used to build the project are identical to those checked into the repository.