Why do we need package-lock.json?

package-lock.json is not published, and we are a CLI, so whoever installs this package via npm are not going to use it, the only use case seems to be for people who `git clone & npm link` but I don't think the file is necessary for that use case?