BigBlueHat
commented
10 months ago @iherman there's ancient debate about the value of keeping package-lock.json in version control. It's mainly for pinning more specific (minor) versions of the more general (major/wild-card) versions in package.json. If/when keeping that minor version recorded and/or updated isn't worth the overhead (vs. trusting the latest findings based on package.json), then deleting it--rather than updating it--would have the same effect as this update has done.
At this point, I'd suggest removing package-lock.json would probably be a better choice for this particular project--and would silence the fearful robots who've been reading that file "too" carefully. 😉
iherman
I wonder where these dependencies come from... are they related to the common js scripts that are used to generate the final version of the spec (via respec)?
How come the only file that is updated is the package-lock.json file (a file that a lambda user is not supposed to modify...)
I am always vary of these dependency checks; alas!, new versions of npm packages (for example) are not always backward compatible, so it may require more than just an update of some json files.