Allow locking dev dependencies only

[pimterry]

When developing a packaging that will be installed by downstream users via npm, it's not good to lock your dependencies. Downstream users installing via npm won't receive or use your package-lock.json, so locking the dependencies means that your own package testing doesn't match the dependencies they'll install. It's better to leave the dependencies unlocked, so your CI builds accurately represent real user breakage as it appears.

Cargo has some detailed docs on the equivalent reasoning for this in Rust-land: https://doc.rust-lang.org/cargo/faq.html#why-do-binaries-have-cargolock-in-version-control-but-not-libraries

However, none of this applies for dev dependencies. Even in libraries, it's always useful to lock dev dependencies. Right now though, that's not possible with npm.

Could we add an option to allow generating package-lock.json files that can lock only the dev dependencies for a project?

There's a previous (now archived) npm issue by @ljharb looking for this here, which includes more context & related points worth considering: npm/npm#16814.

[ljharb]

Indeed; i have over 300 packages where i disable lockfiles entirely, but I’d consider using a dev-dep-only lockfile on all of them if it were possible. Thanks for filing this!