See https://snyk.io/blog/why-npm-lockfiles-can-be-a-security-blindspot-for-injecting-malicious-modules/
I usually skim changes in package-lock.json, but I could see myself very much missing the type of injection described in the linked blog post during CR of a few hundred line diff.
Are there other types of checks we should institute?