You should 100% track package-lock.json, and I'll go a step further and say you should most likely track node_modules too.
If the underlying infrastructure does not provide reproducible builds, I'd suggest you should instead fix that.
alt Hacker News
If the underlying infrastructure does not provide reproducible builds, I'd suggest you should instead fix that.