[BUG] `npm ci` succeeds when `package-lock.json` doesn't match `package.json`

[icatalina]

Current Behavior:

npm ci does not fail when package.json doesn't match package-lock.json

Expected Behavior:

npm ci refuses to install when the lock file is invalid.

Steps To Reproduce:

1. Manually bump a major version of a dependency in package.json
2. Run npm ci
3. It should fail but performs the whole installation

npm@7

npm@6

Environment:

• OS: Mac OS
• Node: 14.15.3
• npm: 7.5.4

[ext]

I've ran into this as well, is there any workarounds until this issue is resolved? Perhaps a flag or a new command could be added to verify the two files are in sync.

A consequence of this is that CI builds (which uses npm ci) now passes (as it installs an old version) even if a dependency would normally cause a build failure (such as when a major version as suggested by OP).

[aaronadamsCA]

This is also affecting workspaces.

We are trying to switch from Yarn workspaces to NPM workspaces, and we were confused why npm ci would tolerate an outdated lockfile (whereas yarn install --immutable would error out). This bug seems to explain it.

This is more or less a blocker for switching back to NPM. The NPM CLI tools for managing workspace dependencies are still rough enough that I expect some mistakes; but without this bugfix, I don't know any other way to protect our main branch against a lockfile mismatch. 😕