I completely agree! When talked about running previous versions I was talking about me as a developer of the package. Form a release perspective it might be good to have the lockfile in the repo as well since this way no dependencies accidentally update between testing and release.
The npm docs say "It is highly recommended you commit the generated package lock to source control" (https://docs.npmjs.com/files/package-locks#using-locked-packages) and I've not seen a project that only adds the lockfile to releases. [ Full content available at: https://github.com/apache/arrow/pull/2598 ] This message was relayed via gitbox.apache.org for [email protected]
