I've found package-lock.json to be generally frustrating. Like, I can't tell if npm has installed from the package-lock or not. Also, package-lock.json only applies to npm install when you've checked it out, not npm install <module_name> but shrinkwrap does do that. So, that is why I have shrinkwrap in scuttlebot-release you can do npm install scuttlebot-release@version and actually get a known working version. (I'd recommend that anyone embedding scuttlebot in their application uses scuttlebot-release as is suggested in scuttlebot readme.

The other day, because of the unclarity of how npm handled package-lock I actually wrote my own install-from-shrinkwrap script, to install patchfoo. npm-install-shrinkwrap

Because of other problems, like noisy diffs, I'd rather just put shrinkwraps on the couple of modules that you might need to use independently, as -release or something. package-lock makes more sense for applications, though.