package-lock.json pins version numbers for all of our transitive dependencies, so it's quite a lot of data. You can read more about it here: https://docs.npmjs.com/files/package-lock.json
We haven't run into any issues related to ambiguous dependency versions, but it's generally considered a best practice to have one. @domoritz was pretty shocked when he saw we didn't include it. Perhaps an argument could be made that we should trim down our dependencies though. [ Full content available at: https://github.com/apache/arrow/pull/2598 ] This message was relayed via gitbox.apache.org for [email protected]
