Aren't you mixing up two things here; committing to a source code repository, and publishing to a registry?
npm pack strips out package-lock.json for publishing. But I believe that even if there were package-lock.json files in dependencies, npm install ignores any but the top-level one, anyway. It wouldn't make sense conceptually to consider them, because if you successfully lock down your dependency versions from your root, you implicitly lock them for all dependencies further down the tree, as well.
On the other hand, nothing speaks against publishing package-lock.json with the source code. In fact, that's half of the reasons for its existence. Because it only has an effect if it's the top-level package, it will help library developers with its intended purpose, while not affecting library consumers.
Please correct me if I'm misunderstanding something here!
We're a place where coders share, stay up-to-date and grow their careers.
We strive for transparency and don't collect excess data.