I read https://medium.com/coinmonks/everything-you-wanted-to-know-about-package-lock-json-b81911aa8ab8. My view (and maybe I'm misunderstanding something) is that as long as installs from released versions are deterministic (i.e. shipping package-lock in the tarball), we don't need to check in this file in the repo
[ Full content available at: https://github.com/apache/arrow/pull/2598 ] This message was relayed via gitbox.apache.org for [email protected]
