Is this really true?
What about dependency versions in package.json (or dependcies of dependecies that we don’t even see in package.json) marked with ^ or ~?
Aren’t they updated when we run ‘npm install’? And doesn’t that also trigger an update of package-lock.json?