That sounds pretty reasonable: npm should allow bundling the lockfile with things that are marked with the type of "project", and whether it actually uses them depending on whether other locked constraints are overriding it. So instead of one lockfile, a prioritized list of them. The UX of dealing with that list could be a sticky wicket though, and npm isn't known for making this stuff easy to begin with.