...so our release tags end up with a package.json with the right version and a package-lock.json with a mismatched version. I think this just makes npm disregard the package-lock.json file, making it entirely pointless.

It may be better to just remove the thing from version control until we figure out this and whatever other nuances it introduces.