In npm we check in the package-lock.json file because that ensures your builds are stable over time. The cost you pay is that occasionally you need to rev the file manually. The benefit is a changed package won't bork your build.
I have identified in the following languages we are ignoring and not checking in the package lock files:
php (top level composer.jock)