consider committing a package-lock.json file

[flokli]

Without a package-lock.json, running npm i in a checkout can come up with different versions of dependencies.

Especially when checking out tagged commits, there should be an up2date package-lock.json, so the same artifacts as on PyPi can be reproduced.