Use of npm when committed lockfile is for Yarn

Hi there,

We're using a Docker deployment of Medusa based on this repository where I work, and I think I've found something you should be aware of. It looks like module versions are being controlled using yarn.lock, but the Dockerfile provided runs npm install. This means the yarn.lock file is completely ignored when building using Docker, and results in the latest version of all Node modules being installed.

The result of this is that the Medusa backend has been upgrading itself each time we deploy it, without our knowledge. medusa migrations run is run on every deploy, so most of the update migrations will have worked, but obviously the more in-depth migrations and potential code changes have not been put in place.

Is there something I've missed, or is this a problem that should be rectified?