[BUG] npm ci does not appear to respect the lock file

[jsg2021]

Current Behavior:

I'm currently in the middle of trying to create a patch build for my prod env and my builds are failing because my lock file is not pinning my internal git dependencies like it used to. It also takes 5mins vs npm 6's 15sec.

Expected Behavior:

The lock file is respected and only it is consulted... no updates, no resolutions, no healing.

Steps To Reproduce:

Install a project that has a git dependency... observe the lock file has a git hash. Blow away the node_modules, use npm ci after making some obvious change in the git dependency and observe the locked version without the change is not present and the latest is.

Environment:

OS: linux
node: 15.12.0
npm: 7.8.0 (tested all the way back to 7.6...) npm 6 works as expected.

[jsg2021]

I found it. I have a package local .npmrc with package-lock=false for snapshot builds... on npm 6, that doesn't affect npm ci... when we cut releases we set that to true and generate the lock file... apparently, we haven't been committing the changed .npmrc... but I think this should cause npm ci to fail or npm ci ignores that setting if a package-lock exists?

[wraithgar]

Closing as duplicate of #2747