“package-lock.json” always take precedence over “package.json”, and is the recommended way now to specify the whole tree of npm dependencies. On the other hand, “package.json” contains useful metadata that is omitted in the lock, such as scripts and the like. Whatever the use case, I'd say it'd be strange not to include both.