[pknopf]

> using npm or bundler simply feels sane

I feel the opposite. Lock files are awesome when your developing a package, but after you release it, you are at the mercy of all your dependencies in making sure that they don't break semvar. Each "npm install" will ignore any lock file your package was using during development.

It would be awesome if I could distribute a package-json.lock file with my npm package and have yarn/npm use it when resolving packages on fresh installations.

Yeah, this would mean that there may be duplicated libraries in your node_modules tree, each with a slightly different version, even if semver compat. However, people break semver to often anyway.

I want to deploy a package to npm and be sure that it will never break, ever.

[regularfry]

Can't you do this right now by specifying exact dependency versions in package.json? Lock files should be for applications, not libraries.

[pknopf]

Yes, but "npm install" will by default add a semver-compat package version. The vast majority of packages out there use what "npm install" gives you be default.

Furthermore, even if I use exact versions in my package.json, that doesn't stop my referenced packages from internally referencing semver-compat versions.

At the very least, you should reference exact versions at the top level. It is better than nothing.

[irishsultan]

> Each "npm install" will ignore any lock file your package was using during development.

That's true for npm, but not for bundler (luckily).

[Groxx]

This is essentially what shrinkwrap does. Apparently it has issues, but it's designed to be the lock file for your package.json.