We have thought about moving to use package-lock.json the way NPM suggests, and at the same time have begun having issues with Travis caches. To address both at the same time, remove the cache from Travis, and make up the time by moving to package-lock.json + npm ci for install.
