As we already notice around this topic reported from community, a behaviour of
npm install can be a bit tricky when it modifies
package-lock.json with no argument. Apparently, yarn also had the same behaviour but they changed it and it seems to be a good practice.
As an idea instead of bug report, could we try the same thing in npm? The bare minimum change in the code base can be just one line like this:
// right before making new instance of Install in install function at lib/install.js if (!args.length) npm.config.set('save', false)