[regularfry]

Can't you do this right now by specifying exact dependency versions in package.json? Lock files should be for applications, not libraries.

[pknopf]

Yes, but "npm install" will by default add a semver-compat package version. The vast majority of packages out there use what "npm install" gives you be default.

Furthermore, even if I use exact versions in my package.json, that doesn't stop my referenced packages from internally referencing semver-compat versions.

At the very least, you should reference exact versions at the top level. It is better than nothing.