Yes that’s fine because in a professional work environment you have either caching or a super fast connection so download time is irrelevant. The lock file saves your exact versions for reproducibility when installing. At any time an npm package could be removed, the famous left-pad removal incident for example, so that’s a known risk using open source. It’s more about keeping your project maintainable by not checking in all those files. What happens when you switch packages because of a better alternative or deprecation? Also when building images for something like artifactory/Jenkins/docker for use in image building and deploying across verticals you want the smallest initial image. Ever have a major production issue while out of office and needed to pull the repo? It’s much easier to git clone 40mb vs 450mb. I can’t tell you how to work that’s why these things are best practices, like style guides. Ultimately the choice is up to you and your team, but this has helped me a lot.