I guess can be merged directly.

Thanks

@Bakual Which node and npm version are you using and o which OS? I ask because I revive different package-lock.json.

This PR was done on Windows 10 with npm 5.6.0 on Node 8.11.3.
I had the same issue on a Linux box (similar version I think)

If we get a different outcome on different machines and node/npm versions, then I'm seriously confused as I'd expect the lock file to be the same on each enviroment, because that's the purpose of a lock file, right?

Here is my package-lock.json

node --version
v8.9.4
npm --version
6.4.0

See https://stackoverflow.com/questions/47638381/what-did-package-lock-json-change-the-integrity-hash-from-sha1-to-sha512 for some context on integrity hashes and why those can change between environments.

Your changes in this PR look to be a variant of npm/npm#20434

Loosely similar is https://npm.community/t/package-lock-json-keeps-changing-between-platforms-and-runs/1129 and https://npm.community/t/package-lock-json-changes-from-one-npm-install-to-the-next/1454

Long and short is whatever the problem is is within NPM itself, worsened by the fact we have a community that is running a massively wide range of versions of software which apparently all have different behaviors.

@mbabker @dgrammatiko Any ideas for this? We must have a method to produce consistent package-lock.json.

So npm is unreliable in building a reproducable enviroment. Doesn't sound that great.
If I understood the links correct, the behavior is fixed in npm v6? Making that a requirement?
Or do we have to change the installation doc so npm ci (npm v5.7.0+) is used which works directly from the lock file?

We can add npm as a dev dependency and then use local install instead of global.