fix(ci): lock file validation

Make sure to validate any lock file (either package-lock.json or
npm-shrinkwrap.json) against the current install. This will properly
throw an error in case any of the dependencies being installed don't
match the dependencies that are currently listed in the lock file.

Fixes: https://github.com/npm/cli/issues/2701
Fixes: https://github.com/npm/cli/issues/3947

3 files changed, 59 insertions, 0 deletions

diff --git a/tap-snapshots/smoke-tests/index.js.test.cjs b/tap-snapshots/smoke-tests/index.js.test.cjs
index c1316e04d..5fa3977a8 100644
--- a/tap-snapshots/smoke-tests/index.js.test.cjs
+++ b/tap-snapshots/smoke-tests/index.js.test.cjs
@@ -42,6 +42,17 @@ npm {CWD}
 
 `
 
+exports[`smoke-tests/index.js TAP npm ci > should throw mismatch deps in lock file error 1`] = `
+npm ERR! \`npm ci\` can only install packages when your package.json and package-lock.json or npm-shrinkwrap.json are in sync. Please update your lock file with \`npm install\` before continuing.
+npm ERR! 
+npm ERR! Invalid: lock file's abbrev@1.0.4 does not satisfy abbrev@1.1.1
+npm ERR! 
+
+npm ERR! A complete log of this run can be found in:
+
+
+`
+
 exports[`smoke-tests/index.js TAP npm diff > should have expected diff output 1`] = `
 diff --git a/package.json b/package.json
 index v1.0.4..v1.1.1 100644
diff --git a/tap-snapshots/test/lib/commands/ci.js.test.cjs b/tap-snapshots/test/lib/commands/ci.js.test.cjs
new file mode 100644
index 000000000..d6a747177
--- /dev/null
+++ b/tap-snapshots/test/lib/commands/ci.js.test.cjs
@@ -0,0 +1,13 @@
+/* IMPORTANT
+ * This snapshot file is auto-generated, but designed for humans.
+ * It should be checked into source control and tracked carefully.
+ * Re-generate by setting TAP_SNAPSHOT=1 and running tests.
+ * Make sure to inspect the output below.  Do not ignore changes!
+ */
+'use strict'
+exports[`test/lib/commands/ci.js TAP should throw error when ideal inventory mismatches virtual > must match snapshot 1`] = `
+\`npm ci\` can only install packages when your package.json and package-lock.json or npm-shrinkwrap.json are in sync. Please update your lock file with \`npm install\` before continuing.
+
+Invalid: lock file's foo@1.0.0 does not satisfy foo@2.0.0
+
+`
diff --git a/tap-snapshots/test/lib/utils/validate-lockfile.js.test.cjs b/tap-snapshots/test/lib/utils/validate-lockfile.js.test.cjs
new file mode 100644
index 000000000..98a51267b
--- /dev/null
+++ b/tap-snapshots/test/lib/utils/validate-lockfile.js.test.cjs
@@ -0,0 +1,35 @@
+/* IMPORTANT
+ * This snapshot file is auto-generated, but designed for humans.
+ * It should be checked into source control and tracked carefully.
+ * Re-generate by setting TAP_SNAPSHOT=1 and running tests.
+ * Make sure to inspect the output below.  Do not ignore changes!
+ */
+'use strict'
+exports[`test/lib/utils/validate-lockfile.js TAP extra inventory items on idealTree > should have missing entries error 1`] = `
+Array [
+  "Missing: baz@3.0.0 from lock file",
+]
+`
+
+exports[`test/lib/utils/validate-lockfile.js TAP extra inventory items on virtualTree > should have no errors if finding virtualTree extra items 1`] = `
+Array []
+`
+
+exports[`test/lib/utils/validate-lockfile.js TAP identical inventory for both idealTree and virtualTree > should have no errors on identical inventories 1`] = `
+Array []
+`
+
+exports[`test/lib/utils/validate-lockfile.js TAP mismatching versions on inventory > should have errors for each mismatching version 1`] = `
+Array [
+  "Invalid: lock file's foo@1.0.0 does not satisfy foo@2.0.0",
+  "Invalid: lock file's bar@2.0.0 does not satisfy bar@3.0.0",
+]
+`
+
+exports[`test/lib/utils/validate-lockfile.js TAP missing virtualTree inventory > should have errors for each mismatching version 1`] = `
+Array [
+  "Missing: foo@1.0.0 from lock file",
+  "Missing: bar@2.0.0 from lock file",
+  "Missing: baz@3.0.0 from lock file",
+]
+`