I see your point, but if a dependency package needs exact versions for its dependencies, I'd expect it to be specified in its package.json as well. If not, then I don't see why exact dependencies for the entire tree are needed.
Sure, if a package absolutely needs exact dependencies for its entire tree, it can check in the lock file, but I've not found this necessary in practice provided I use dependencies I trust , that follow semantic versioning.
> Sure, if a package absolutely needs exact dependencies for its entire tree
Not sure you're talking about the same thing as everyone else.
There's a big difference if you're maintaining a package vs maintaining an app.
If you're a "package" maintainer, you don't want to pin dependencies. Because the package consumer (i.e. people building apps using your package) should not have their exact versions dictated to them.
If you're an "app" maintainer, you absolutely need to check in your lockfile, because you should care about repeatable builds.
Sure, if a package absolutely needs exact dependencies for its entire tree, it can check in the lock file, but I've not found this necessary in practice provided I use dependencies I trust , that follow semantic versioning.