This extension is getting published and installed without a yarn.lock file, is this desired?

[davidsierradz]

Hi, I noticed that coc-prettier has a yarn.lock file that is not getting published in the npm package, if I run:

$ npm pack coc-prettier
$ tar -xzf coc-prettier-1.1.14.tgz
$ ls package   
> lib  CHANGELOG.md  package.json  package-json-schema.json  Readme.md

I see this is intentional from npm 6.9 and forward, see: yarn.lock not published by npm publish anymore - 🐞 bugs - npm forum

When I run :CocInstall coc-prettier I notice that CoC installs with npm install --ignore-scripts --no-lockfile --production, isn't this dangerous? lock files are there to prevent security and functionality issues with transitive dependencies changing under our feets.

I was checking npm-shrinkwrap.json | npm Documentation:

npm-shrinkwrap.json is a file created by npm shrinkwrap. It is identical to package-lock.json, with one major caveat: Unlike package-lock.json, npm-shrinkwrap.json may be included when publishing a package.

The recommended use-case for npm-shrinkwrap.json is applications deployed through the publishing process on the registry...

Maybe you should publish a npm-shrinkwrap.json in your packages? I don't know if this will work with yarn though.

We can move this discussion to Coc main repo if you want to, thanks.

[chemzqm]

It's dangerous, so we may remove dependencies in the future