Package-lock.json pins only first-order dependencies
twitter.comDoesn't using `npm ci` instead of `npm install` keep transitive dependencies pinned as well?
Doesn't using `npm ci` instead of `npm install` keep transitive dependencies pinned as well?