@egoist can i do something to get this PR merged ? 😉

I put a yarn lock file on this repo about a year ago so the dev pipeline wouldn't bust. When I clone fresh today and run yarn audit I see pretty print outs of all the vulnerabilities and a summary:

69 vulnerabilities found - Packages audited: 2922
Severity: 41 Low | 16 Moderate | 11 High | 1 Critical
✨  Done in 2.02s.

When I run npm i --package-lock-only I see a handful of directionless warnings and a summary:

added 707 packages and audited 5506 packages in 7.417s
found 10 vulnerabilities (3 low, 7 high)

Which of these two systems would you place your faith in knowing NPM added lock files in response to Yarn and not because they felt it was important enough to prioritize early?

Given this repo only has any dev deps I don't see a strong need to merge unless active development begins. But we can leave this here for now. Thanks for the pull.

Which of these two systems would you place your faith in knowing NPM added lock files in response > to Yarn and not because they felt it was important enough to prioritize early?

Good point. I haven't used Yarn for quite some time now.