The whole debate around whether you should use a lockfile or not for a project is something that's been going on for a while.
However, considering that you are using lockfiles. Did you consider the security concerns related with lockfiles?
I wrote about how it is possible for someone to inject malicious packages in your lockfile as a contribution to the project, without you noticing it, and wonder what do you think about this vector?
P.S. also wrote a tool called lockfile-lint to help combat this. do you find this helpful?