It's really important for long term projects to keep access to all dependencies. Package lock files only guarantee that your inputs are still correct but they do not guarantee your inputs will still be around in 10 years.

Falls apart for typescript projects if js files aren't also committed and the package.json setup properly to export the JS code as a module.

Installing from GH directly can also fall apart when fancy built scripts are in place that have to be ran to create actual useful code. :(