package-lock=false in any of the configs breaks the behavior of
npm i --package-lock-only. Would be helpful if npm errored with a message about that before attempting to install that way.
Personally, I want a configuration option that means:
Do not automatically create a package-lock.json
All other package-lock features should still work. If my co-workers want to use package-lock, it should be updated whenever working with that file. The audit command should still work. Shrinkwrap should still work.
The only behaviour I dislike is that a package-lock.json is generated by default. There should also be a CLI flag to create a package-lock.json even if I have automatic generation turned off.
We will be adding an error message for this in an upcoming release. Thanks for the feedback!