Package-lock.json file should be committed

[LothaireLaeuffer]

Describe the issue

The file package-lock.json should not be in the .gitignore file.
The main purpose of package-lock.json is to guarantee that all contributors install exactly the same dependencies.
The npm website explicitly says that this file is to be commited in the source.

This file is intended to be committed into source repositories, and serves various purposes:

• Describe a single representation of a dependency tree such that teammates, deployments, and continuous integration are guaranteed to install exactly the same dependencies.

• Provide a facility for users to "time-travel" to previous states of node_modules without having to commit the directory itself.

• Facilitate greater visibility of tree changes through readable source control diffs.

• Optimize the installation process by allowing npm to skip repeated metadata resolutions for previously-installed packages.

• As of npm v7, lockfiles include enough information to gain a complete picture of the package tree, reducing the need to read package.json files, and allowing for significant performance improvements.

https://docs.npmjs.com/cli/v8/configuring-npm/package-lock-json

I have read the issues #1458 but I do not agree with it. From my understanding, in the package-lock each dependencies have its dependencies version. So if a dependency is used in several dependencies with different versions, the good version will be used for each dependency.

Example Code

.

Expected behavior, if applicable

.

Environment

.

Additional context/Screenshots

.

[elitan]

package-lock.json was removed from .gitignore but the actual package-lock.json file was not added to the repo. Any reason why? Or was it just a miss?