mayankchhabra
commented
4 years ago We can explicitly choose versions of dependencies in package.json but that won't help because of the fact that those dependencies may or may not have explicitly defined their own dependencies.
That is exactly why it's always recommended to commit package-lock.json.
This file is intended to be committed into source repositories From: https://docs.npmjs.com/configuring-npm/package-lock-json.html
I dont think we should. Better to just explicitly choose versions in package.json if we are worried about future incompatibilities, and its good codebase hygeine anyway to keep up with whatever libraries we are using or choose to drop.