nodejs-lock-file

package-lock.json is automatically generated for any operations where npm modifies either the node_modules tree, or package.json. It describes the exact tree that was generated, such that subsequent installs are able to generate identical trees, regardless of intermediate dependency updates.

These information are useless from a debian point of view, because version are managed by dpkg.

Moreover, package-lock.json feature to pin to some version dependencies is a anti feature of the debian way of managing package, and could lead to security problems in the likely case of debian solving security problems by patching instead of upgrading.

The tag is present in Lintian version 2.114.163. That is the most recent version we know about.

We use semantic versions. The patch number is a commit step indicator relative to the 2.114.0 release tag in our Git repository.

You can find the detection logic for this version at commit c1c05b0. For merge requests, please use the latest version in the Lintian check languages/javascript/nodejs.

Visibility: error

The following 1 source packages in the archive triggered the tag 1 times (in any Lintian version).

There were no overrides.

tldjs

[usr/lib/nodejs/tldjs/package-lock.json]