npm has long had a problem respecting lock files. The concept is easy: have a fixed lock file, get a reproducible build. But no: npm will change your lock file (I believe it's framed as "optimizing") without notice.
(Perhaps they've solved this in the last couple of years. I've been staying away from that ecosystem... too much growing in it...)
(Perhaps they've solved this in the last couple of years. I've been staying away from that ecosystem... too much growing in it...)