remove package-lock.json and set .npmrc to not create package-lock.json files, ignore package-lock.json in .npmignore to avoid publishing a package with package-lock.json, gitignore package-lock.json

Uzlopak · Uzlopak · commit 34bbd0f3bbfd · 2022-04-14T13:59:22.000+02:00
We could be prone to a supply-chain-attack when we not carefully review changes in the package-lock.json. urls to packages could be changed to malicious variants. To avoid this, we disable the generation package-lock.json. We should not accept any PRs with package-lock.json.
diff --git a/.gitignore b/.gitignore
@@ -39,3 +39,5 @@ tramp
 # coverage
 coverage
 .nyc_output
+
+package-lock.json
diff --git a/.npmignore b/.npmignore
@@ -1 +1,2 @@
 test/
+package-lock.json
diff --git a/.npmrc b/.npmrc
@@ -0,0 +1 @@
+package-lock=false
diff --git a/package-lock.json b/package-lock.json
