Having had hard times understanding how exactly npm processes package-lock.json and at what stages it is being updated, I put a little guide together to sort of reverse engineer in what way the locked dependencies are updated. This is not going to be an exhausting research about every aspects of npm dealing with these locked dependecies, but rather a very quick step-by-step guide that lines up my findings.
To get the ball rolling, I prepared a rather simple React boilerplate project to experiment with. It incorporates the very basics needed to generate a "Hello React!" application. This will perfectly make it for our little demonstration.
Let's swiftly take a glimpse through the fundamental project files.
app.js
