Using (or not) package-lock.json

We’ve begun piecemeal removing package-lock.json, with @brianleroux recently citing the following link re. lockfile (non-)use:

• https://github.com/sindresorhus/ama/issues/479
• https://www.twilio.com/blog/lockfiles-nodejs

My own conclusions: package-lock.json provides no benefit in published packages, but remains necessary for deterministic deployments of actual Architect project app repos. So official Architect packages could stand to shed package-lock.json, while https://github.com/architect-examples should keep their lockfiles.

That said, in a world constantly creeping entropy, I like to fend off instability with whatever determinism I can find. Some alternative ideas:

• Swap out package-lock.json for npm-shrinkwrap.json – theoretically solves the issue of npm ignoring the lockfile for published modules adding the determinism of a lockfile to our packages, but we still pay a penalty in dep updating noise, git pack size, etc., and it’s officially warned against for libraries
  • Further: I’m not sure this is a meaningful real-world issue? Architect has been downloaded and used quite a bit, and I’m unaware of >= second-order dependency mismatches presenting issues to us or our users
• Dependency version pinning – we started pinning first-level dependencies in @architect/architect 6.0.11 last September; I like this approach, and I’d suggest every official production Architect package should only be allowed to have version-pinned dependencies (devDependencies are fine to be ranges)

Thoughts?