Consider removing package-lock.json from template

[tormi]

Currently, it's impossible to merge quite frequent dependabot.yml pull requests because these are overwriting our minimally configured package-lock.json. See #274 for example.

[tormi]

Let's investigate if we can exclude files from Dependabot first. Configuration options for dependency updates, https://docs.github.com/en/code-security/supply-chain-security/keeping-your-dependencies-updated-automatically/configuration-options-for-dependency-updates

[tormi]

There's a Dependabot FR filed to only target package.json file dependabot/dependabot-core#3184

[tormi]

So basically we need similar strategy for manifest file as is available for lockfile (versioning-strategy: lockfile-only). See https://docs.github.com/en/code-security/supply-chain-security/keeping-your-dependencies-updated-automatically/configuration-options-for-dependency-updates#versioning-strategy