package-lock.json is automatically generated for any operations where npm modifies either the node_modules tree or package.json. It describes the exact tree that was generated so that subsequent installations can generate the same trees regardless of intermediate dependency updates.
This file is intended for fixing in the source repositories and serves for various purposes:
Describe a single view of the dependency tree so that teams, deployments, and continuous integration ensure that exactly the same dependencies are installed.
To provide users with the ability to "move in time" to the previous state of node_modules without having to fix the directory itself.
To facilitate greater visibility of tree changes using readable versioning differences.
And streamline the installation process by allowing npm to skip re-metadata permissions for previously installed packages.
More info: npm documentation