Add a lock file

[god464]

What version of this package are you using?
V17.1.0
What problem do you want to solve?
As I said on discord. I want to help add Standardjs to Nixpkgs. But according to this issue, we need to add the lock file on upstream. And adding lock files is helpful for any future development (see the discord link for details).
What do you think is the correct solution to this problem?
Per title.
Are you willing to submit a pull request to implement this change?
Yes if I can.

[LinusU]

Hmm, I'm not sure how all processes should look around this.

Currently, as distributed via Npm, the newest semver compatible versions of every dependency is used whenever a user installs or updates the package. This makes it so that any security fixes or other patches are automatically applied without us having to do anything.

If we add a lock file, do we need to make a new release anytime a security fix is released in any downstream packages? This feels like we are adding both work and responsibility on us in order to only support the Nix distribution 🤔

[voxpelli]

I’m largely 👎 on this. It’s nice to be able to support as many places as possible, but a lockfile would have to be maintained as well as @LinusU says

[wesleytodd]

The key issue around libraries using lockfiles is that we need to ensure the final build before publish blows away the entire lockfile. If you don't do this then the consumers could get newer transitive dependencies than the tests were run with, possibly breaking immediately when they update. There is currently not a lot of good tooling around that workflow, but I would be interested in building it if we wanted to use it here. There are some details to work out though since we don't have fully automated publish from CI.

EDIT: I guess I should have added, without the proper tooling I am also 👎 on adding a lockfile.