[BUG] `npm ci` respects the `package-lock=false` config flag

[dominykas]

Is there an existing issue for this?

• I have searched the existing issues

This issue exists in the latest npm version

• I am using the latest npm

Current Behavior

npm ci will install latest versions, rather than versions from the shrinkwrap, if it is configured with package-lock=false (and/or shrinkwrap=false, although I didn't explicitly test what happens when the two don't match - they're aliased, aren't they?)

Expected Behavior

I realize this is a rather edgy case, but npm@6 used to respect the lockfile when running npm ci regardless of configuration.

npm ci fails when a lock file is not present, so it feels weird that it would check for the presence of a lockfile, but then entirely ignore its contents.

This might be intentional, in which case I'm sorry, but I don't recall this being mentioned under breaking changes?

Steps To Reproduce

1. Have a repo with a lock file
2. Configure npm via local .npmrc, or global .npmrc, or env to have package-lock=false
3. Run npm ci

Environment

• npm: 8.3.0
• Node: 16.3.1
• OS: macOS
• platform:
• npm config:

; copy and paste output from `npm config ls` here

[lirantal]

Potentially related:

1. [BUG] npm ci doesn't exit when dependencies in lockfile do not match the package.json #3947
2. [BUG] npm ci succeeds when package-lock.json doesn't match package.json #2701

[rotem-cider]

@lirantal Check out more fun with .npmrc files here - #4101

[ruyadorno]

good catch! thanks @dominykas!