Hi - one of the reasons we've avoided adding it in is because we have some dependencies where we want npm to pick the latest available version of the extra node-red nodes the core pulls in: https://github.com/node-red/node-red/blob/e03a0fffa9ea2b195d5acda5a8e918b148bce1b7/package.json#L63-L66
I believe if we introduce
package-lock.json we'll lose that ability as it'll install the specific version in the lock file and not the latest that matches the semver in package.json - happy to be corrected if I'm wrong on it.
dev branch for 0.20, things get a more complicated as we now have 5 modules under the one repo - and the development process never runs
npm install under each of those modules, so we don't get a package-lock file generated for them.
So it's something to look at, but not necessarily as simple as just checking one in.