Renovate: `npm i --package-lock-only` breaks lockfile when file: references present

@martijnwalraven I have added an option to perform a full npm install on the bot every time in #2390. I tested using this option on a fork of apollographql/apollo-server and the Pin Dependencies PR (correctly) kept the package-lock.json unchanged. I will need to explicitly/manually enable this setting for apollographql/apollo-server in the app, because I have made this an admin-only option so that only the bot admin can enable it and not any repository user.

Thanks for looking at this, and for building in the work-around, @rarkins.

Can we go ahead and enable skipInstalls on apollographql/apollo-server (I suppose you can verify that I'm authorized based on the access I've demonstrated in this PR, but I'm happy to verify in some other way), and I'll follow along with the bug report you opened on npm.community so we remember to turn it off.

I’ve enabled it already for your repo so no need for extra config on the repo. Any PR that’s created or rebased from now on should have a correct lockfile attached.

@rarkins We're about to merge similar file reference changes into Apollo Client (see https://github.com/apollographql/apollo-client/pull/3817). Any chance we could also have skipInstalls enabled on that repo? Thanks!

Yes, I can do that. I’m thinking of making it automatic for any repo that has file: dependencies too

That would be awesome! We're switching to using file references in a few other repos shortly, so that would really help. Thanks!

I’ve now switched on full installs any time a “file:” dependency is included with npm directly or via Lerna. Hopefully npm can fix this soon though as it adds to the bot’s workload significantly!

Ouch, I bet the workload just shot up 🙁. Thanks for jumping on this so quickly @rarkins!