npm install ignores lockfile for Git-based deps & fails to installed nested Git-based deps

This ticket reports >=2 bugs at once, sorry for that.

Use the individual revisions of https://github.com/derhuerst/npm-git-bug-1 to reproduce them.

What I Wanted to Do

see https://github.com/derhuerst/npm-git-bug-1

What Happened Instead

see https://github.com/derhuerst/npm-git-bug-1

Reproduction Steps

see https://github.com/derhuerst/npm-git-bug-1

Platform Info

macOS 10.14.6, Node 12.10.0, npm@6.11.3 (but it fails with 6.9 - 6.11 as well).

$ npm --versions
{
  npm: '6.11.3',
  ares: '1.15.0',
  brotli: '1.0.7',
  cldr: '35.1',
  http_parser: '2.8.0',
  icu: '64.2',
  llhttp: '1.1.4',
  modules: '72',
  napi: '4',
  nghttp2: '1.39.2',
  node: '12.10.0',
  openssl: '1.1.1c',
  tz: '2019a',
  unicode: '12.1',
  uv: '1.31.0',
  v8: '7.6.303.29-node.16',
  zlib: '1.2.11'
}

$ node -p process.platform
darwin