`lodash@latest` can break projects using yarn since yarn lockfile is not being maintained

[rkoval]

If lodash releases a major version that breaks any API changes that this repo relies on, consuming repos that use yarn will cause this library to break.

Can a yarn lock file get added to the project? An alternative would be to just lock the lodash version in the package.json itself.

You will otherwise see an error message like the one below if using yarn and other dependencies that rely on lodash:

warning Pattern ["lodash@latest"] is trying to unpack in the same destination "/root/yarn-cache/v1/npm-lodash-4.17.5-99a92d65c0272debe8c96b6057bc8fbfa3bed511" as pattern ["lodash@^4.17.4","lodash@^4.17.4","lodash@^4.2.0","lodash@^4.17.4","lodash@^4.2.0","lodash@^4.17.4","lodash@^4.17.4","lodash@^4.17.4","lodash@^4.17.4","lodash@^4.17.4","lodash@^4.17.4","lodash@^4.17.4","lodash@^4.17.4","lodash@^4.17.4","lodash@^4.17.4","lodash@^4.14.0","lodash@^4.13.1","lodash@^4.17.4","lodash@^4.17.4","lodash@^4.17.4","lodash@^4.17.4","lodash@^4.17.4","lodash@^4.17.4"]. This could result in non-deterministic behavior

[rkoval]

Closing because I didn't realize yarn doesn't actually use the lockfile for dependencies.