package-lock.json is used to check in source control. If you use npm5 ( npm install-g npm@latest ), you can see the following bold text on the command line: created a lockfile as package-lock.json. You should commit this file. is derived from npm help package-lock.json :

package-lock.json is automatically generated for any action by npm that modifies the node_modules tree or package.json. It describes the exact tree generated so that subsequent installations can generate the same tree, regardless of intermediate dependency updates.

this file is intended to be submitted to the source code base and for various purposes:

• describes a single representation of a dependency tree, which ensures that members, deployment, and continuous integration can install exactly the same dependencies.
• provides a tool for users to "traverse" the previous state of node_modules without committing the directory itself.
• promotes greater visibility of trees through readable source control extensions.
• and optimize the installation process to allow npm to skip duplicate metadata parsing for installed packages.

A key detail about package-lock.json is that it cannot be published and will be ignored if it is found anywhere other than the top-level package. It shares the format with npm-shrinkwrap.json (5) , which is basically the same file, but allows publishing. This is not recommended unless you deploy CLI tools or otherwise use the release process to produce production packages.

if package-lock.json and npm-shrinkwrap.json both exist in the root directory of a package, package-lock.json will be completely ignored.