This is a commonly asked question, but a little different this time. It seems the developers of Node.js have chosen to make NPM register the standard v2 package-lock.json in the project root (or wherever you run your commands from), and subsequently it registers the new v3 .package-lock.json file inside ./node_modules.
Is there a consensus as to whether we should be committing ./node_modules/.package-lock.json with our source code, or should it be considered just another build artifact of NPM? The reason for my question is recently our CI/CD pipeline has been automatically updating dependencies which were locked, and the only commonality seems to be the warning:
+ npm ci
npm WARN old lockfile
npm WARN old lockfile The package-lock.json file was created with an old version of npm,
npm WARN old lockfile so supplemental metadata must be fetched from the registry.
npm WARN old lockfile
npm WARN old lockfile This is a one-time fix-up, please be patient...
npm WARN old lockfile