Comment by dgoldstein0

This was true in very old npm - generating the lock file was a separate command - npm shrinkwrap. And many people didn't know they should check in the shrinkwraps. But I think the default flipped before 2020 so that it now always creates package-lock.json files (unless an npm-shrinkwrap.json is present and then it uses /updates that)