package-lock.json is overriden on dependency update in a bad way

[Fohlen]

I'm opening this issue because:

• npm is crashing.
• npm is producing an incorrect install.
• npm is doing something I don't understand.
• Other (see below for feature requests):

What's going wrong?

The package-lock.json system is entirely useless for us, at the moment.
Take the following situation

• A depends on B
• B defines a dependency C
• now, C has some security issue
• you decide to manually patch C in your root (A's) package-lock.json
• this work's fine. However you don't want to npm i C --save because you don't want to explicitly rely on C. You just want to fix this goddamn security issue, because B doesn't do it
• now. This goes well for a while.
• if you update B npm will OVERRIDE your package-lock rules on C
• this just wtf's the sh** out of me. Now I even have a git-diff script that only does the following task:
  • remove the updates from npm update concerning the package C

How can the CLI team reproduce the problem?

This is not a generally a "reproducible bug" type of bug. It is, as far as I understand from #17979 that this is a general concept issue with package-lock
If you still need to reproduce this, here's our situation:

• our package @inexorgame/treeclient depends on node-rest-client depends on debug@2.2.0 <- vulnerable
• our package @inexorgame/inexor-flex depends on @inexorgame/treeclient
• now, whenever we increase the patch version of @inexorgame/treeclient, we have to manually fix our package-lock.json again.

supporting information:

• npm -v prints: 5.5.1
• node -v prints: v8.4.0
• npm config get registry prints: https://registry.npmjs.org/
• Windows, OS X/macOS, or Linux?: OS X
• Network issues:
  • Geographic location where npm was run:
  • I use a proxy to connect to the npm registry.
  • I use a proxy to connect to the web.
  • I use a proxy when downloading Git repos.
  • I access the npm registry via a VPN
  • I don't use a proxy, but have limited or unreliable internet access.
• Container:
  • I develop using Vagrant on Windows.
  • I develop using Vagrant on OS X or Linux.
  • I develop / deploy using Docker.
  • I deploy to a PaaS (Triton, Heroku).