Creating this task as a follow-up to https://issues.apache.org/jira/browse/TINKERPOP-2572.
To make sure the result of running npm install is deterministic, package-lock.json should be committed along with package.json instead of being gitignored. This will prevent older package-lock.json files that may exist locally from earlier installs from being used to determine what versions to install when running npm install.
I'm not 100% sure I understand how the Affects Version and Fix Version fields should be set when creating the Jira ticket. Feedback appreciated.