I'm looking for an equivalent for yarn's --pure-lockfile flag.

This flag is useful when installing dependencies in CI, when you want it to read your lockfile but not modify it.

Does npm v5 have an equivalent?

npm 5.7 introduced the npm ci subcommand:

the main differences between using npm install and npm ci are:

• The project must have an existing package-lock.json or npm-shrinkwrap.json.
• If dependencies in the package lock do not match those in package.json, npm ci will exit with an error, instead of updating the package lock.
• npm ci can only install entire projects at a time: individual dependencies cannot be added with this command.
• If a node_modules is already present, it will be automatically removed before npm ci begins its install.
• It will never write to package.json or any of the package-locks: installs are essentially frozen.

this is how I did in my dockerfile

RUN npm install --pure-lockfile

it should work perfect.