fix(ci): lock file validation

Make sure to validate any lock file (either package-lock.json or
npm-shrinkwrap.json) against the current install. This will properly
throw an error in case any of the dependencies being installed don't
match the dependencies that are currently listed in the lock file.

Fixes: https://github.com/npm/cli/issues/2701
Fixes: https://github.com/npm/cli/issues/3947

1 files changed, 29 insertions, 0 deletions

diff --git a/smoke-tests/index.js b/smoke-tests/index.js
index 83e54ae9f..464187da0 100644
--- a/smoke-tests/index.js
+++ b/smoke-tests/index.js
@@ -21,6 +21,7 @@ t.cleanSnapshot = s =>
     .replace(/\r\n/g, '\n')
     .replace(/ \(in a browser\)/g, '')
     .replace(/^npm@.* /gm, 'npm ')
+    .replace(/^.*debug-[0-9]+.log$/gm, '')
 
 // setup server
 const { start, stop, registry } = require('./server.js')
@@ -320,3 +321,31 @@ t.test('npm update --save', async t => {
     'should have expected update --save lockfile result'
   )
 })
+
+t.test('npm ci', async t => {
+  await exec(`${npmBin} uninstall abbrev`)
+  await exec(`${npmBin} install abbrev@1.0.4 --save-exact`)
+
+  t.equal(
+    JSON.parse(readFile('package-lock.json')).packages['node_modules/abbrev'].version,
+    '1.0.4',
+    'should have stored exact installed version'
+  )
+
+  await exec(`${npmBin} pkg set "dependencies.abbrev=^1.1.1"`)
+
+  try {
+    const npmOpts = [
+      `--registry=${registry}`,
+      `--cache="${cacheLocation}"`,
+      `--userconfig="${userconfigLocation}"`,
+      '--no-audit',
+      '--no-update-notifier',
+      '--loglevel=error',
+    ].join(' ')
+    const npmBin = `"${process.execPath}" "${npmLocation}" ${npmOpts}`
+    await exec(`${npmBin} ci`)
+  } catch (err) {
+    t.matchSnapshot(err.stderr, 'should throw mismatch deps in lock file error')
+  }
+})