Yarn.lock and package-lock.json potential conflict - is yarn.lock still needed?

[rmcsharry]

It seems to me that the project should not have both of these lock files, it leads to confusion. Which package manager is being used, npm or yarn?

For example, I had assumed it was npm and so the PR to upgrade axios was created based on that. But notice that the yarn.lock file still specifies the previous (vulnerable) version of axios.

I think yarn.lock should be deleted, yes?

[Auspicus]

Yarn will use a package-lock.json file if a yarn.lock file is not present. We can safely remove yarn.lock.