package.json being a JSON file doesn't support comments (such as // ...). However, you can use custom fields to save notes without interfering with npm. For example, "comment": "...comment goes here...".
Always commit lock file into repository. It helps all package developers to work with the same versions of dependencies.
Dependencies in package.json and lock files don't always stay in sync. This can lead to surprises in how npm install works. For dependencies consistent between two files the version in lock file is used, while inconsistencies are resolved using package.json.
For deployment use npm ci or yarn install --frozen-lockfile to ignore package.json while installing packages.
Unlike package-lock.json, that are not bundled into npm packages, npm-shrinkwrap.json is preserved and respected by npm install. While it allows to pin the exact versions of sub-dependencies, it also leads to duplicate package installations and stale dependencies. Using npm-shrinkwrap.json is strongly discouraged for libraries, but acceptable for command line tools, daemons and development dependencies.
Is it popular popular? Look at GitHub stars, npm download statistics (via npm trends) and number of dependents.
Is it actively developed and maintained? When was it released? When was the last activity (commit, issue, release)? Are reported issues addressed (see opened/closed issue statistics)? Keep in mind, that for simple packages the lack of activity sometimes means maturity rather than abandonment.
Is it of high quality? Does it have documentation and changelog? Is it covered by tests? Does the code look well? You can explore package contents using npmfs.
Note that if .npmignore is provided then files listed in .gitignore are no longer excluded from npm package. Make sure to blacklist all unnecessary files in
or whitelist them using files field in package.json.