Move back to npm

[brettcannon]

While yarn is nice and fast, using npm for its package-lock.json will allow us to (hopefully) automate the generation of our third-party notices file more easily along with CELA/OSPO stuff behind the scenes.

The key issue with yarn.lock is that it's a bespoke file format while package-lock.json is just JSON. One of those formats is a bit easier to read from Python. 😉 We will need to start using npm ci where we use yarn install --freeze-lockfile to make sure we are keeping the lock file updated.

[brettcannon]

As an example, in our package.json we have:

"lodash": "4.17.5",

This shows up in yarn.lock as:

[email protected], lodash@^4.17.4:
  version "4.17.5"
  resolved "https://registry.yarnpkg.com/lodash/-/lodash-4.17.5.tgz#99a92d65c0272debe8c96b6057bc8fbfa3bed511"

In package-lock.json, it shows up as:

"lodash": {
    "version": "4.17.5",
    "resolved": "https://registry.npmjs.org/lodash/-/lodash-4.17.5.tgz",
    "integrity": "sha512-svL3uiZf1RwhH+cWrfZn3A4+U58wbP0tGVTLQPbjplZxZ8ROD9VLuNgsRniTlLe7OlSqR79RUehXgpBW/s0IQw=="
},

What we want from the lock file is a way to go from our "dependencies" in package.json to the version and used files in order to find the license file for that package. It seems either would work, but package-lock.json makes it a bit easier by exposing directly "dependencies" and "devDependencies" off of "dependencies" itself, while yarn.lock uses a bespoke file format and keys off of the requirements that led to a certain version being installed.

[brettcannon]

There is a definite performance loss with using npm versus yarn, but the tooling support is a bit easier under npm.

[DonJayamanne]

@brettcannon are you planning on getting this done in this milestone.
From what can remember, that was your plan, however this hasn't been assigned to the milestone.

[brettcannon]

@DonJayamanne the plan is "when I find the time" 😉