A publishable lockfile
npm-shrinkwrap.json is a file created by npm-shrinkwrap(1). It is identical to
package-lock.json, with one major caveat: Unlike
npm-shrinkwrap.json may be included when publishing a package.
The recommended use-case for
npm-shrinkwrap.json is applications deployed
through the publishing process on the registry: for example, daemons and
command-line tools intended as global installs or
strongly discouraged for library authors to publish this file, since that would
prevent end users from having control over transitive dependency updates.
Additionally, if both
npm-shrinkwrap.json are present
in a package root,
package-lock.json will be ignored in favor of this file.
For full details and description of the
npm-shrinkwrap.json file format, refer
to the manual page for package-lock.json(5).