why do so many projects still not have a "yarn.lock" or "package-lock.json" file just makes me think they're not taking dev dependencies seriously