The state of dependencies should be described in package.json. That's what the dependencies field is for. Package-lock.json is unnecessary.
Not that this is common, but what about the dependencies that your dependencies rely on? What if they change?
We're a place where coders share, stay up-to-date and grow their careers.
We strive for transparency and don't collect excess data.