fix: change .npmrc package-lock from false to true (#355)

The `package-lock=false` setting prevents npm from updating
package-lock.json during local development, causing drift between
what developers test locally and what `npm ci` installs in CI.

This contradicts the committed lockfile and weakens the supply chain
protection that `npm ci` provides.

Co-authored-by: Isaac
Signed-off-by: Jiabin Hu <jiabin.hu@databricks.com>

Author: shivam2680

.npmrc

@@ -1 +1 @@
-package-lock=false
+package-lock=true