Why you should put package-lock.json in source control

Simple, eliminate the "works on my machine" response from developers:

package-lock.json is automatically generated for any operations where npm modifies either the node_modules tree, or package.json. It describes the exact tree that was generated, such that subsequent installs are able to generate identical trees, regardless of intermediate dependency updates.

This will keep all the installed dependencies the same when you do npm i. If you don't, any packages you have in package.json will get their dependency tree based on what the package you're using specifies, i.e. it could be latest compatible (@^x.x.x) or anything.  And without a package-lock.json you're at the mercy of what your dependencies specify.