Github user bananer commented on the issue:
https://github.com/apache/thrift/pull/1502
The package-lock file keeps dependency versions fixed across all
installations. According to [the
docs](https://docs.npmjs.com/files/package-lock.json), this does not apply when
the package is published on npm, where the file should be excluded.
To update the dependency packages for our builds, one now has to run `npm
update` and commit the changed package-lock.json files. This does not impact
users of thrift, so I'm not sure if it has to be noted in the Readme or
somewhere else.
---
