While yarn is nice and fast, using npm for its package-lock.json will allow us to (hopefully) automate the generation of our third-party notices file more easily along with CELA/OSPO stuff behind the scenes.
The key issue with yarn.lock is that it's a bespoke file format while package-lock.json is just JSON. One of those formats is a bit easier to read from Python. 😉 We will need to start using npm ci where we use yarn install --freeze-lockfile to make sure we are keeping the lock file updated.
While
yarnis nice and fast, usingnpmfor itspackage-lock.jsonwill allow us to (hopefully) automate the generation of our third-party notices file more easily along with CELA/OSPO stuff behind the scenes.The key issue with
yarn.lockis that it's a bespoke file format whilepackage-lock.jsonis just JSON. One of those formats is a bit easier to read from Python. 😉 We will need to start usingnpm ciwhere we useyarn install --freeze-lockfileto make sure we are keeping the lock file updated.