Please remove the package-lock.json. That lock the NPM dependencies like React to exact versions and they should just take the latest in the permissible SemVer range. That is what Create React App does as well. Additionally this suggest using NPM but lot sof people will use Yarn instead and need a yarn.lock file instead. That way the appropriate lock file will be generated as appropriate.

Thanks for contacting us, @mauricedb.
@ryanbrandenburg, I remember there was a specific reason we've included the package-lock.json in the template. Do you remember what it was?

Also tagging @SteveSandersonMS .

The reason we include package-lock.json is that, if we didn't, the template could become broken at any moment. This is what used to happen in the early days of the SPA templates before they were officially released.

Since our templates ship inside VS, we can't publish updates at a very fine-grained level of frequency. Customers expect that what we ship should continue working for many months, even years, in its original state. Unfortunately in the Node ecosystem where a stock Angular or React project has hundreds of third-party depenencies, the half-life of a functioning template would be on the order of weeks, not years, if we didn't lock down the entire transient set to a known good set via package-lock.json.

I recognize that theoretically semver rules should protect against breaking changes, but unfortunately in reality they don't. Sometimes small revisions to transient dependencies have unintentional bugs (hence semver isn't going to protect you); or sometimes those package authors don't have a sufficiently strict interpretation of semver rules. This isn't ideal, but it is how it is 😄

BTW if you want, you can of course delete your package-lock.json files at any time, so that you get the latest semver-specified dependencies. It might break your app, but also it might not.

What @SteveSandersonMS said. I'm generally against including generated files in our templates, but in this case it's a necessary evil.

Makes sense, agreed.

CRA generates the lock file as needed but only has dependencies the team controls. In this case there are a number of extra dependencies that update at different rates and might not be as well tested as the core React packages.