Are we pulling from any mirrors other than registry.npmjs.org elsewhere in our lockfiles?

@punya not anymore:

$ pcregrep -h -o1 '\"resolved\": \"https:\/\/(.+?)\/' `git ls-files **/package-lock.json` | sort | uniq
registry.npmjs.org

I'm curious if the addition of netflix as a mirror was intentional, was reviewed in the appropriate way, and if we have safeguards to prevent accidental or malicious introduction of mirrors in future

This change was introduced ~2 years ago in #564. The author of the PR works at netflix and judging by this npm package, netflix devs probably are/were using a custom registry, either with --registry http://artifacts.netflix.com/api/npm/npm-netflix or probably in their npmrc file. I think this was commited by mistake and the URLs have just since broken. It doesn't look like we have any safeguards to prevent this in place, created #889.

Also want to point out that package-lock.json files are not distributed on npm when publishing so mirrors can't be maliciously introduced to users (could effect local builds of OC though)

@jsuerth I tried just deleting the package locks first and regenerating but this upgraded a bunch of dependencies and broke the build as well :( so I took the route of replacing the mirror URLs instead. The changes to other lockfiles is npm upgrading the to lockfile version 2 since I am using npm v7.