By default, npm install automatically generates a package-lock.json:

npm install

However, the lockfile can be disabled in .npmrc:

# .npmrc
package-lock=false

To create a lockfile, pass the option --package-lock-only:

npm install --package-lock-only

Or pass the option --package-lock:

npm install --package-lock