May be I'm missing something, but why dependency resolution cannot be deterministic? If you always choose a version specified in the config, or a highest version if few different versions of the same dependency are defined through some of intermediaries, you'd always end with the same set. AFAIK it's the strategy in Gradle for JVM projects, and a similar deterministic strategy is used by Maven.
NPM resolution is not deterministic because package dependencies may be specified using SemVer, e.g. “~1.0.0” which may result in pulling 1.0.0, 1.0.1, 1.0.2, and so on - anything that matches 1.0.x specifier.
The NPM ecosystem commonly uses these types of specifiers. Even if your own dependencies are all specified in “package.json” using exact versions, they almost certainly depend themselves on other versions (dependencies of dependencies, and so on) using the semver specifiers. That means whenever an author of that package publishes themselves, your resolved dependencies may change.
The package-lock.json is simply a record of the exact dependency resolution graph based on the registry state that existed at the moment you generated it, so that you can reliably reproduce that graph a month or a year later. Otherwise it’s very common for NPM-based projects to have “NPM install” fail later on (or succeed, but create a bug or unit test failure) because some new version was added to the registry and created a compatibility issue or bug.
