While yarn is nice and fast, using npm for its package-lock.json will allow us to (hopefully) automate the generation of our third-party notices file more easily along with CELA/OSPO stuff behind the scenes.

The key issue with yarn.lock is that it's a bespoke file format while package-lock.json is just JSON. One of those formats is a bit easier to read from Python. 😉 We will need to start using npm ci where we use yarn install --freeze-lockfile to make sure we are keeping the lock file updated.