Since this commit we have two package lock files in the project: https://github.com/camunda/camunda-operate/commit/e266027d1e894ed7d71a9fae9d60089cee30616a#diff-a357eeafe4d42d4d291125cb288f2cee
Before we were using only yarn.lock file, which was also used on the CI (on the CI the packages in /client are also installed with yarn, picking the versions from yarn.lock)
The problem with having two lock files is that for somebody who manually installs a package with npm (updating only package-lock.json only), will cause the yarn.lock file to be out of date. This could lead to different packages being installed on the local machine versus the ci.
We as contributors should stick with one way of installing packages and update the readme files accordingly.