lockfile has a note in its readme saying it’s deprecated and hasn’t had a release since 2015. I’m not at all sure “tell people not to use it” is a viable strategy for getting marked as “not critical”.
(To be clear, as someone with genuinely critical projects on my list, I’m fine with having 2FA. But I am concerned about the classic xkcd guy who maintains all by himself a single project that loads of people depend on, deciding that the implications of being “critical” are just too much, and abandoning his project altogether…)