would you consider committing the package-lock.json file to the repo? npm docs suggest to do this and it eases the burden for downstream consumers by publishing a known-good dependency configuration.

i understand this project is considered "legacy" at this point, but in a way that makes having a lockfile even more useful since breakages caused by new dependency releases are more liable to go unnoticed here.