[BUG] npm shrinkwrap renames out of date package-lock

[aovchinn]

Is there an existing issue for this?

• I have searched the existing issues

Current Behavior

with disabled package-locks in npm config npm shrinkwrap command produces different result based on presense of package-lock.json file

if it is present it just renames it, but actual node_modules could be different at that moment
if it is not present it would calculate up to date npm-shrinkwrap.json

Expected Behavior

npm shrinkwrap should give the same output with or without package-lock.json
shrinkwraps from case (a) and case (b) in Steps To Reproduce should be the same
I expect them to be, should they though ?

Steps To Reproduce

case (a)

• npm install (package-lock.json generated)
• set package-lock = false in npm config
• update version of a package in package.json
• npm install
• npm shrinkwrap (just a rename of old, outdated package-lock.json)

case (b)

• all steps from case (a)
• rm package-lock.json npm-shrinkwrap,json
• npm shrinkwrap (new shrinkwrap is generated, with up to date data from node_modules)

Environment

• OS: Windows 10 Home 21H1 19043.1288
• Node: v16.13.0
• npm: 8.1.1

[aovchinn]

in this repo https://github.com/aovchinn/npm-shrinkwrap
npm-shrinkwrap-saved.json is a result of npm-srinkwrap with present package-lock.json
npm-shrinkwrap.json is a result of npm shrinkwrap without package-lock.json

[darcyclarke]

Update

• this can potentially be closed - let's re-triage steps to reproduce to confirm though

[lukekarrys]

This is still an issue. I think the issue is that we don't error in the "case a" (npm shrinkwrap (just a rename of old, outdated package-lock.json)), similar to the recent change made in #4599. The fix should be to throw an error if the package-lock is out date before attempting to shrinkwrap.