Why does “npm install git repo url” rewrite package-lock.json?

Question

I am running the npm install in a public GitHub repo and it has locked the express at 4.17.0 in package-lock.json file which is the correc

Answer 1

Remove the carrot ^ sign. Then it'll stay locked at 4.17.0.