I contribute to a project where users use both NPM, and YARN. NPM generates package-lock.json, and yarn generates yarn-lock.json both use package.json.
I know that yarn import can be used to use package-lock.json, but then if there's a dependency installed with yarn, then there is no way to update package-lock.json from yarn as far as I know.
So in other words if a PR uses NPM, yarn-lock won't be up to date, and if a PR uses Yarn, package-lock won't be up to date. Then if another later PR comes in those lock files will come in as if they changed when in reality they weren't updated previously just because the previous sentence statement.
I don't like to use "best practice", because is all relative to each person experience, but do anyone has any tips in this scenario. Is it best just to not commit both lock files? Is there another system that works best, or is it just best to force users to use yarn or npm? I think users should just use whatever they want.