`npm ci` doesn't validate versions for Git hashes between package.json and package-lock.json

What I Wanted to Do

npm ci should error when the git hashes of a package dependency are different in package.json and package-lock.json.

What Happened Instead

npm ci installed a library using the version in package-lock.json and ignored the different version in package.json

Reproduction Steps

git clone https://github.com/jschaf/npm-ci-git-hash-bug.git
cd npm-ci-git-hash-bug
npm install --package-lock-only

# Create a conflict:
sed -i '' 's/node-csv-stringify.git#[a-f0-9]*/node-csv-stringify.git#1a393b16b912040d60adac7fa4a5a7c53e09991c/' package.json

# Should error but successfully installs the version from package-lock.json
npm ci

Details

Platform Info

$ npm --versions
{ 'npm-ci-git-hash-bug': '1.0.0',
  npm: '6.9.0',
  ares: '1.15.0',
  cldr: '33.1',
  http_parser: '2.8.0',
  icu: '62.1',
  modules: '64',
  napi: '3',
  nghttp2: '1.34.0',
  node: '10.15.3',
  openssl: '1.1.0j',
  tz: '2018e',
  unicode: '11.0',
  uv: '1.23.2',
  v8: '6.8.275.32-node.51',
  zlib: '1.2.11' }

$ node -p process.platform
darwin

This topic was automatically closed 180 days after the last reply. New replies are no longer allowed.