commit package-lock.json to repository?

[NovemLinguae]

Right now package-lock.json is in gitignore and is not committed to the repository.

Pros and cons of committing package-lock.json to the repository?

Pros would be there's less likely to be bugs in things like jest (test suite) from version mismatches between development environments.

Cons would be the amount of spam that something like Dependabot generates in the PR tab (if Dependabot is used), or having to remember to run and test npm update and then commit it every once in awhile.

mediawiki repos put package-lock.json in the repo

@siddharthvp, got any thoughts on best practices here? I'd be inclined to maybe do package-lock.json in the repo + manual updates (no dependabot)

[siddharthvp]

Agreed that package-lock.json should be committed. As for dependabot, maybe we should keep it around but disable it for dev dependencies to avoid too much PR spam. The Hogan dependency is part of on-wiki code pages so it would be good to ensure we're not missing out on any security issues on it.