In my experience, it does not make sense to put package-lock.json under version control. It makes managing large merge/rebases a nightmare. However, there are instances where the package-lock can be very useful.
Recently (2017/10/10) moment.js introduced breaking changes in a minor version update. Meaning if one was to ship with no package-lock.json, and had something like this in their package.json:
"moment": "^2.12.0"
Some breaking changes introduced in version 2.19.0 would silently infiltrate your code with almost no trace.
This is why after cutting a branch to serve as a release candidate it is crucial to:
- remove package-lock.json from .gitignore
- run
npm installto generate a package-lock.json - test, qa, deploy with this package-lock
This assures your npm module versions will remain locked down on the same versions that were tested.