npm ci not throw error when package-lock.json is outdated

What I Wanted to Do

What Happened Instead

Reproduction Steps

cd ~
mkdir foo
cd foo
npm init -y                                 # generate package.json
npm install                                 # generate package-lock.json

head -n3 package.json | tail -n1            # print   "version": "1.0.0",
head -n3 package-lock.json | tail -n1       # print   "version": "1.0.0",

sed -i "" 's/1.0.0/2.0.0/g' package.json    # change version from 1.0.0 to 2.0.0 on mac
head -n3 package.json | tail -n1            # print   "version": "2.0.0",

npm ci && echo ok                           # it should exists with error code, but it echo ok
head -n3 package-lock.json | tail -n1       # print   "version": "1.0.0",

npm install
head -n3 package-lock.json | tail -n1       # print   "version": "2.0.0",      package-lock.json updated

Details

Platform Info

$ npm --versions

{ npm: '6.9.0',
  ares: '1.15.0',
  brotli: '1.0.7',
  cldr: '35.1',
  http_parser: '2.8.0',
  icu: '64.2',
  modules: '64',
  napi: '4',
  nghttp2: '1.34.0',
  node: '10.16.0',
  openssl: '1.1.1b',
  tz: '2019a',
  unicode: '12.1',
  uv: '1.28.0',
  v8: '6.8.275.32-node.52',
  zlib: '1.2.11' }

$ node -p process.platform
darwin

You are right it does not exit with an error, but as the main focus is on installing the dependencies, I am not sure whether this is intended or missed.

  • If dependencies in the package lock do not match those in package.json , npm ci will exit with an error, instead of updating the package lock.

https://docs.npmjs.com/cli/ci.html