package-lock.json v.s. package.json

https://www.dcard.tw/f/makeup/p/229698155-%EF%BC%83%E5%9C%96-%E5%86%8D%E6%9C%83%E5%90%A7%E7%B2%89%E5%88%BA-%E6%BA%AB%E5%92%8C%E8%87%89%E9%83%A8%E6%B8%85%E6%BD%94+%E4%BF%9D%E9%A4%8A
輕鬆美膚 抗痘凝膠
Do you need both package-lock.json and package.json? No.

Do you need the package.json? Yes.

Can you have a project with only the package-lock.json? No.

The package.json is used for more than dependencies - like defining project properties, description, author & license information, scripts, etc. The package-lock.json is solely used to lock dependencies to a specific version number.

One key detail about package-lock.json is that it cannot be published, and it will be ignored if found in any place other than the toplevel package. It shares a format with npm-shrinkwrap.json, which is essentially the same file, but allows publication. This is not recommended unless deploying a CLI tool or otherwise using the publication process for producing production packages.

If both package-lock.json and npm-shrinkwrap.json are present in the root of a package, package-lock.json will be completely ignored.

（關於package-lock.json它的一個關鍵細節是它無法發布，並且如果在頂級軟件包以外的任何地方找到它，它將被忽略。它與npm-shrinkwrap.json共享一種格式，該格式本質上是相同的文件，但是可以發布。除非部署CLI工具或使用發布過程來生產生產軟件包，否則不建議這樣做。

如果軟件包的根目錄中同時存在package-lock.json和npm-shrinkwrap.json，package-lock.json將被完全忽略。）

官方文件  https://docs.npmjs.com/files/package-lock.json  直接用右鍵 / google翻譯也挺好

小心有坑!! https://blog.marsen.me/2018/07/30/2018/package-lock_modify_after_npm_install/

Why does “npm install” rewrite package-lock.json? ( This sentence mean "npm install" may rewrite package-lock.json at the same time! )

from https://stackoverflow.com/questions/45022048/why-does-npm-install-rewrite-package-lock-json  (非常棒的回答！！ And I think we can only see the latest update's content. )

In short, the main differences between using npm install and npm ci are:

• The project must have an existing package-lock.json or npm-shrinkwrap.json.
• If dependencies in the package lock do not match those in package.json, npm ci will exit with an error, instead of updating the package lock.
• npm ci can only install entire projects at a time: individual dependencies cannot be added with this command.
• If a node_modules is already present, it will be automatically removed before npm ci begins its install.
• It will never write to package.json or any of the package-locks: installs are essentially frozen.

If use "npm ci", it wont rewrite!

Previously, developers who wanted to ensure that node_modules/ and package.json stayed in sync would have to archive their node_modules folder. npm ci replaces this process with a single command.
以前，想要確保node_modules /和package.json保持同步的開發人員必須將其node_modules文件夾存檔。 npm ci用一個命令替換了此過程。


conclusion
As you can see, both commands have their valid use cases. I’d recommend using npm ci if possible, as it does its job reliably, and use npm install for installing new dependencies or updating existing ones.