Comment by DDerTyp

You’re right and the excerpt you quoted was poorly worded and confusing. A lockfile is designed to do exactly what you said.

The package.json locked the file to ^1.3.2. If a newer version exists online that still satisfies the range in package.json (like 1.3.3 for ^1.3.2), npm install will often fetch that newer version and update your package-lock.json file automatically.

That’s how I understand it / that’s my current knowledge. Maybe there is someone here who can confirm/deny that. That would be great!