Opening this here again as the repository of the earlier reported issue got archived.
npm/npm#20603

The npm documentation mentions it clearly that package-lock is always meant to be committed, leaving library authors unaware of the risk that their consumers might install different dependency versions than what they're using.

The documentation should be changed to mention that since package-lock files are ignored in published npm packages, library authors should exercise caution when choosing to commit them to source code.

Examples:

1. https://docs.npmjs.com/cli/v6/configuring-npm/package-locks#using-locked-packages

It is highly recommended you commit the generated package lock to source control

2. https://docs.npmjs.com/cli/v10/configuring-npm/package-lock-json#description

This file is intended to be committed into source repositories

Article with reasoning:
https://gajus.medium.com/stop-using-package-lock-json-or-yarn-lock-909035e94328

cc: @gajus