npm version 5 adds a package-lock.json  to each repository. Do we want to have this committed or ignored?
I would suggest not to commit the file, because composer.lock is also not committed. This file has the same effect and should handled the same.
There are two extensions at the moment having this file committed:
AdvancedSearch - I0f591d75d0a7b8755b446398e753507b36db15b1 WikibaseLexeme - Icc91a224e264c9b33df70254958b0af95a463d03
A decision before many developer using npm5 and committing this would be nice to have a specification how to handle this.
In case of ignore, mediawiki core, all extensions and all skins with node_module in .gitignore should get a line added to its .gitignore. Committed files should be removed.