Why does “npm install git repo url” rewrite package-lock.json?

Question

I am running the npm install in a public GitHub repo and it has locked the express at 4.17.0 in package-lock.json file which is the correc

Answer 1

npm install xxx will every time generate a new lock file. (Actually it just ignores lock file and generate each time it execute)

npm ci on the other hand, is the command to install packages based on lock file instead of package.json