audit: Verify lockfile integrity before running

Credit: @iarna

Author: iarna

lib/audit.js

@@ -5,6 +5,7 @@ const audit = require('./install/audit.js')
 const npm = require('./npm.js')
 const log = require('npmlog')
 const parseJson = require('json-parse-better-errors')
+const lockVerify = require('lock-verify')
 
 const readFile = Bluebird.promisify(fs.readFile)
 
@@ -66,7 +67,15 @@ function auditCmd (args, cb) {
       (pkgJson && pkgJson.dependencies) || {},
       (pkgJson && pkgJson.devDependencies) || {}
     )
-    return audit.generate(sw, requires)
+    return lockVerify(npm.prefix).then((result) => {
+      if (result.status) return audit.generate(sw, requires)
+
+      const lockFile = shrinkwrap ? 'npm-shrinkwrap.json' : 'package-lock.json'
+      const err = new Error(`Errors were found in your ${lockFile}, run  npm install  to fix them.\n    ` +
+        result.errors.join('\n    '))
+      err.code = 'ELOCKVERIFY'
+      throw err
+    })
   }).then((auditReport) => {
     return audit.submitForFullReport(auditReport)
   }).catch((err) => {