chore: add .npmrc to disable package-lock

[bjohansebas]

Okay, with Dependabot, we don't want it to create unnecessary PRs, knowing that the package-lock file is not uploaded to npm and shouldn't be. So, we are removing the package-lock to reduce unnecessary noise.

[socket-security]

Updated and removed dependencies detected. Learn more about Socket for GitHub ↗︎

Package	New capabilities	Transitives	Size	Publisher
npm/@types/[email protected] ➜ 22.13.14	None	+1	83.3 kB
npm/[email protected] ➜ 3.3.3	None	+17	513 kB	mrmlnc
npm/[email protected] ➜ 17.3.0	Transitive: environment, filesystem, shell, unsafe	+97	10.5 MB

View full report↗︎

[kjugi]

I don't really understand the problem described in the PR. Can you link examples or something like that? Maybe we can figure it out together

[bjohansebas]

We don’t send the package-lock to the consumers of the package, and we shouldn’t. Dependabot will create unnecessary PRs since only we will be using it. Therefore, having Dependabot send PRs that only update the package-lock is just noise in our GitHub notifications (I already have too many, and I don’t want them to be filled with unnecessary Dependabot updates).

Luckily, Dependabot runs monthly, so it’s not a big concern. However, this package won’t receive frequent PRs since it consists of codemods. Merging PRs that only update dependencies (and only modify the package-lock) creates an unnecessarily long history. Instead, we could simply delete those PRs and unnecessary commits by ignoring and preventing the creation of the package-lock.

[kjugi]

@bjohansebas To solve that problem, we can simply add .npmignore file. With this we can still keep the lock file in place.
docs link

[Phillip9587]

I don't understand the problem. package-lock.json cannot be published by npm commands and will be ignored automatically.
See npm docs: https://docs.npmjs.com/cli/v11/configuring-npm/package-lock-json

[bjohansebas]

I'm not making myself clear, sorry, my English isn't very good.

What I mean is that Dependabot is going to open PRs updating dependencies, most of which will be unnecessary. See #39, #37, #38,—they only update the version in the package-lock. I can merge these PRs, but every month, similar PRs will be created (only updating the version in the package-lock), which doesn't make sense and will create unnecessary history in Git.

It's useful when the version in the package.json is also updated, like in #43, but most PRs will only update the versions in the package-lock, making them unnecessary PRs that can be avoided by removing the package-lock.

This PR has nothing to do with the package publication.

[kjugi]

This can be changed in the dependabot config I believe.
Docs link: https://docs.github.com/en/code-security/dependabot/working-with-dependabot/dependabot-options-reference#versioning-strategy--

Should be set to increase