Whenever npm modifies the content of your node_modules folder or package.json (for example, when using npm install), it will also automatically create or update a file called package-lock.json.

That file describes the exact filesystem tree that was generated by npm while installing the dependencies. Basically, it includes the complete list of dependencies and exact versions that were installed, both for your direct dependencies and the transitive ones.

When that file is present, subsequent installs will leverage it to install the exact same versions of the dependencies, regardless of any dependency updates that could've occurred.

This is great because it ensures that anyone installing your project will get the exact same versions of all dependencies (direct and transitive ones).

We don't have time to dive into the details about package-lock.json, so please refer to the official documentation to find out more: https://docs.npmjs.com/files/package-lock.json.