There seems to be some confusion around whether the package-lock.json file enforces the destination of the package that is fetched based on the resolved field.

Based on some historical context (ref 1 & 2), I'd like us to test that we do, indeed, respect the registry option when set in .npmrc or --registry and potentially add a test for the scenario where a lock file has disparate references to the provided registry (ref current pickRegistry() tests).

• Test functionality as it stands today (and confirm the above is true)
• Write a new test to explicitly test this scenario (ie. a mismatch between resolved paths in package-lock.json vs. a defined registry option)
• Update docs to explicitly communicate this functionality more thoroughly

A hacky e2e-test-poc was put in place using a fork of npm-registry-mock in which we validate this behavior in a reproducible manner: npm/npm-registry-mock#35

Closing this since we already got all the answers we wanted 😊