Do you have any stats or profiling info on the binary lockfile? JSON gets parsed so fast (GBs in a second?) that intuitively it doesn't seem to me like it would be a bottleneck, especially if you have the flexibility to change the representation. I know `package-lock.json` is especially verbose, but e.g., Elixir's `mix.lock` is pretty trim, and still human-readable.
If it really is a problem, then a binary lockfile might be worth it, but it's a pretty substantial hit to developer experience, I think. At least, I'm accustomed to checking the lockfile diff on PRs, and it's a shame to lose that.
Haven't experimented enough with text-based lockfile formats. It's worth trying.
To make serialization fast though, it would still need to do structure of arrays instead of an array of structures. Instead of each package being an object in the lockfile, arrays of package names, of version numbers, etc. it would need a tool to understand it
If it really is a problem, then a binary lockfile might be worth it, but it's a pretty substantial hit to developer experience, I think. At least, I'm accustomed to checking the lockfile diff on PRs, and it's a shame to lose that.