chore: add back package-lock.json and enable dependabot

[aduh95]

It was removed based of #311, however having a reproducible dev env is good actually.

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 80.15%. Comparing base (a68af4b) to head (a9a7bf8).
Report is 1 commits behind head on main.

Additional details and impacted files

@@           Coverage Diff           @@
##             main     #939   +/-   ##
=======================================
  Coverage   80.15%   80.15%           
=======================================
  Files          39       39           
  Lines        4635     4635           
=======================================
  Hits         3715     3715           
  Misses        920      920           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[aduh95]

@nodejs/node-core-utils wdyt?

[targos]

No objections from me. I prefer a higher chance of discovering unintended breaking changes in dependencies to the reproducibility of the dev env but I can live with it.

[aduh95]

I prefer a higher chance of discovering unintended breaking changes in dependencies

Has this ever happened btw? I've tried looking for other projects that one would more likely install globally rather than locally (create-react-app, heroku, pm2), they all seem to use a lock file – although I didn't spend much time looking for it.

BTW I'm not sure being meant to be installed globally change much, packages that are installed locally also do not use the upstream lockfile.

[targos]

In this project, I don't know. It has already happened in other projects I maintain.

[targos]

RSLGTM on the dependabot config