As per npm documentation, npm-shrinkwrap.json seems to be used in some specific cases (i.e. npm published package where it needs exact dependency tree, like globally install command line tools).

Doing a npm install does updates this file, which has to be committed again. I may not be aware of its real utility but I am more used to do this with package-lock.json, which seems to be less annoying about these file status.