I found some articles on the web regarding this question. Follow the links:
npm uses a JSON as a format for the lock file. The good news is since [email protected] ignores the resolved field on package-lock.json file and basically fallback to the one defined in the .npmrc or via –registry argument using the CLI in case is exist, otherwise, it will use the defined in the resolved field.
https://medium.com/verdaccio/verdaccio-and-deterministic-lock-files-5339d82d611e
Another day, another tweet about #npm5 goodies.
npm is now agnostic about which registry you used to generate the package-lock.json.
https://twitter.com/maybekatz/status/862834964932435969
The purpose of resolved in package-lock.json is to bypass the dependency resolution step (fetching metadata) when you are missing packages. integrity is to verify that you’re getting the same thing. Without the resolved field, uncached installations can break due to metadata changes, and they’ll also be significantly slower because we have to do a full metadata fetch before we can actually download anything.
Note that package-lock.json does not allow different packages to be fetched from different registries. Even if you have a package lock with different packages using different resolved fields, all of the packages will always be fetched from whatever your current registry= setting is, in npmrc. resolved fields that do not match the configured registry will go through the (slower) metadata fetching I mentioned above, but will still be fetched only from the current registry.
https://github.com/npm/npm/issues/16849#issuecomment-312442508