[BUG] NPM doesn't complain about malformed JSON in package-lock file #4844
Description
Is there an existing issue for this?
- I have searched the existing issues
This issue exists in the latest npm version
- I am using the latest npm
Current Behavior
The artifacts of a merge conflict (<<<< HEAD, ||||, ====, >>>>> <hash>) in a package-lock.json file were accidentally committed to my repository. Running npm ci succeeded with no issues, even though the version and integrity fields were duplicated in a JSON object, and non-JSON compliant text was present.
Expected Behavior
If the JSON in a package-lock.json file is malformed, I expect npm ci to exit with a non-zero exit code. That is the behavior of NPM v6.14.16, but not NPM v7 or v8.
Steps To Reproduce
- In this environment, with this zip file extracted into an empty folder (contains a minimal
package.jsonandpackage-lock.jsonto reproduce the bug). - With this config, using any NPM version more recent than
7.0.0. - Run
npm ci. - And see that no error is reported.
- If you install NPM <
7.0.0, like6.14.16, runningnpm cidoes throw an error.
Environment
- npm: 8.5.1 (present starting in 7.0.0 up to 8.8.0)
- Node.js: 14.19.1
- OS Name: Ubuntu 20.04.4
- System Model Name: Dell Precision 7560
- npm config:
; "user" config from $HOME/.npmrc
(obfuscated):registry = "https://npm.pkg.github.com"
//npm.pkg.github.com/:_authToken = (protected)
; node bin location = /usr/bin/node
; cwd = $HOME/playground/npm-test
; HOME = /home/(user)
; Run `npm config ls -l` to show all defaults.