Again, I'm surely missing some peculiarities having to do with Docker config and conventions here, but speaking only about what I know best (Node.js/npm): it's not about which is “newer”; the lock is the only artifact that determines without ambiguity the tree of needed dependencies (that's its only purpose).

“package.json” may very well be “newer” for a number of reasons (eg, I may have added the e-mail address of the author, changed the licence, or removed one of the keywords), and still what should be npm-installed is what the lock says. No need to compare anything. (Of course the contents of both should be coherent, but that's the responsibility of the maintainer.)

There's no “principled” way to “generate” a deterministic package-lock.json from package.json. If there were, the former wouldn't ever be necessary. The exact same package.json will generate a different package-lock.json a few minutes from now (eg, because one of the dependencies, direct or transitive, just published a new prerelease or a new patch in the interim). That's why we always keep both under version control and distribute both in npm world.