It’s OK to not use Yarn
David Gilbertson

I’ve used npm 5 package lock feature for some time. But it doesn’t do what it’s supposed to do as in the name package-LOCK.json implies. I immediately switched to yarn as I’ve been using it for a very long time.

To realise how npm’s locking feature is broken (they say it’s an intended feature), setup a project with some dependencies and commit the lock file. Wait for a week or two (for new version releases) and remove the node_modules/ folder. If you do npm install, you would see that package-lock.json is modified as per git status.

See the relevant stackoverflow post and github issue.

I strongly recommend anyone to go through the above two links before choosing npm 5 lock feature for dependency version locking.