From https://docs.npmjs.com/files/package-lock.json#optional:
If true then this dependency is either an optional dependency ONLY of the top level module or a transitive dependency of one. This is false for dependencies that are both an optional dependency of the top level and a transitive dependency of a non-optional dependency of the top level.
It’s safe to merge this change.
The reason you see this change is most likely because npm slightly changed how package-lock.json is structured in version 6.6. Your mate basically ran npm install with npm 6.6+ on a package-lock.json previously generated with npm 6.5-.
You should be able to avoid this kind of issue by making sure everyone on your team uses a recent version of npm.