Commit NPM lock file into source control

[daichuanwu21]

Is your feature request related to a problem? Please describe.

The package-lock.json file generated by NPM during install is currently being ignored under .gitignore.

This is specifically discouraged by NPM's documentation found here. The relevant extract is shown below:

This file is intended to be committed into source repositories, and serves various purposes:

• Describe a single representation of a dependency tree such that teammates, deployments, and continuous integration are guaranteed to install exactly the same dependencies.
• Provide a facility for users to "time-travel" to previous states of node_modules without having to commit the directory itself.
• Facilitate greater visibility of tree changes through readable source control diffs.
• Optimize the installation process by allowing npm to skip repeated metadata resolutions for previously-installed packages.
• As of npm v7, lockfiles include enough information to gain a complete picture of the package tree, reducing the need to read package.json files, and allowing for significant performance improvements.

Most significantly, adding the package-lock.json allows for reproducibility in both testing and production deployments. For example, it would become possible to easily distinguish between a regression introduced by developer code, versus some dependency that just so happened to change versions. Furthermore, it will reduce confusion among end-users, who may be annoyed that newer deployments don't share the same behavior to older deployments.

Describe the ideal solution

• Removal of "package-lock.json" from .gitignore
• Change existing installation documentation to mention npm ci instead of npm install, while warning against using npm install (this is because npm ci does not update package-lock.json, and installs packages exactly according to the lock file)
• Change the Docker build script to use npm ci instead of npm install

Describe alternatives you've considered

None considered.

Additional context

This issue is copy of #1266 on the SudhanPlayz repo, since I'm not exactly sure which is being actively developed.

[brianferri]

You're absolutely right. I was intending on removing it from the .gitignore as soon as we got a stable release (which we now do) but ultimately forgot.

[brianferri]

This is indeed the maintained version of V5 Refer to: https://github.com/SudhanPlayz/Discord-MusicBot/pull/1227

[brianferri]

done in https://github.com/wtfnotavailable/Discord-MusicBot/commit/ceb721f8c62652c7447283620ddf7e36a6219df7