When you build Vaadin it generates two files: package.json and package-lock.json.

Do I need to persist them in my VCS (Git in my case)?

package.json contains the frontend / npm / JavaScript dependencies for your project. If you do not add any custom dependencies to it, it can (and will) be re-generated automatically based on @NpmPackage annotations in Java sources.

package-lock.json is the means to provide a reproducible build. If you remove that, then the next build of the project might use different versions of some dependencies. In the worst case, the new versions have some bugs or compatibility problems and your project will no longer work.

It is therefore recommended to keep at least package-lock.json in the repository. If you are doing that, then keeping package.json also makes sense, as they kind of go hand in hand.

There may be also an additional benefit of keeping package.json in the version control, if you have dependency scanner that can warn you about vulnerable dependencies such as dependabot in GitHub.