For the purpose of reproducible `node_modules` tree.
Ideally if all packages would use commits, and the installation algorithm will never change, then there will be no need for lock files.
In reality some packages will use NPM existing mechanism, so "git-based algorithm" will need to accommodate for that by reading git repo of the NPM package and referring to a specific commit, which should be store in `package-lock.json`.
Ideally if all packages would use commits, and the installation algorithm will never change, then there will be no need for lock files.
In reality some packages will use NPM existing mechanism, so "git-based algorithm" will need to accommodate for that by reading git repo of the NPM package and referring to a specific commit, which should be store in `package-lock.json`.