Disable package-lock.json

NPM's official documentation says that package-lock.json should be part
of the repository.

Why? `package-lock.json` is basically a snapshot of the `node_modules/`
directory. You can think of it like `node_modules.zip`, except more
human-readable, and requires an internet connection to unzip.

The main advantage of adding it to Git is that it lets you know exactly
the state of `node_modules/` at the time the programmer commits it. So
if a dependency breaks, it's easier to trace exactly when it broke.

It also makes sure `node_modules/` is exactly the same between
different development environments, so differences don't cause bugs to
appear for some developers but not others.

This comes with a number of disadvantages. The biggest one is that it
causes package-lock changes to appear in random commits, which can
outright lead to merge conflicts. Not to mention making diffs in
general significantly less readable.

And a lot of stated advantages aren't actually true (paraphrased):

> If I install express ^4.15.4, and later express 4.15.5 is released,
> a contributor would run `npm install` and gets 4.15.5, we would
> have different versions.

Like, this is intended behavior. If I didn't want that behavior, I'd
specify the express version as 4.15.4 instead of ^4.15.4. We can still
have the same version if we just re-run `npm install`, which we would
STILL have to do if we were using a package-lock file. The
package-lock file does not improve this situation.

(A Dev poll showed that most devs were in support of this.)

.gitignore

@@ -7,6 +7,7 @@
 /chat-plugins/*-private.js
 npm-debug.log
 .eslintcache
+package-lock.json
 
 # boilerplate #
 ###############

.npmrc

@@ -0,0 +1 @@
+package-lock=false