I'm opening this issue because:

• npm is crashing.
• npm is producing an incorrect install.
• npm is doing something I don't understand.
• Other (see below for feature requests):

What's the feature?

The story is we have a registry which only serves our internal network so developers outside company cannot access, also out CI machine can only access internal network so the default registry is out of reach

In this case, if a developer runs npm install in default registry, a generated package-lock.json will lead CI machine to download tarball from npmjs.org and fail

In my point of view, package-lock.json currently contains a integrity field to check the shasum of a package, so we can leave the install machine to decide where to download tarball and check shasum for integrity, the resolved field can be a speed boost but it should be optional