Require Resolved field, and Check package versions

[bozdoz]

I've run into timeout issues with npm because my packages don't have 'resolved' fields in the package-lock file. This seems simple enough to add:

lockfile-lint/packages/lockfile-lint-api/src/validators/ValidatePackageNames.js

Lines 21 to 23 in 9b0b167

	if (!('resolved' in packageMetadata)) {
	continue
	}

I am also curious about ensuring versions; squelched here:

lockfile-lint/packages/lockfile-lint-api/src/validators/ValidatePackageNames.js

Line 46 in 9b0b167

// swallow error (assume that the version is correct)

Wondering if you are accepting PR's for this, and if you have any insight/preferences for how this is accomplished.

[lirantal]

Hi Bozdov, thanks for opening an issue on these.

The first issue you reported sounds like something we should fix. Could you also share an example/reference lockfile which doesn't have that resolved field? On this issue still - if resolved isn't available, it might be a good idea to show a warning on STDERR to capture the attention of the user and recommend regenerating the lockfile.

Let's break this up to small PRs so it's easy to reason about and merge. Would you like to start with issue (1) as you pointed out?

[bozdoz]

@lirantal Yes I can split this into separate issues and start on the resolved fields issue. Stay tuned! 😄

[lirantal]

Sounds good!

[bozdoz]

Quick follow-up: I found out that resolved fields appear to go missing if the packages are installed, then the lockfile deleted, and the lockfile is regenerated with npm i. My best guess is that npm sees that the packages are present so doesn't attempt a download and doesn't try to resolve anything.

Using npm@8.5.0 and node@16.14.2 on a brand new project.

[lirantal]

Could it be that these are changes related to the lockfile version? I believe it was simply schema changes between npm6, npm7, and npm8.

[bozdoz]

Just to follow up, I cannot seem to reproduce the 'resolved' fields missing anymore, even on the npm version I mentioned before. I've seen this happen in 3 different (work) projects, and even to myself (personal project), but just tried a few times now and can't figure out what situation causes it.

[bozdoz]

Just a follow up; found more lockfiles without resolved fields, and found this related Issue: npm/cli#4460

I still think it may be an issue as it makes it somewhat ambiguous as to which registry it will fetch from (i.e. I'm using --allowed-hosts, but I assume it won't enforce it when resolved doesn't exist).

@lirantal

[bozdoz]

Just noticing how much of an epic thread this really is: npm/cli#4460 (comment)

This whole area is a real surprise. What is the point of these half-guarantees and false sense of [literal] security? I've been operating as if NPM had my back on this stuff, and it's really jarring to realize that not only does it not have my back, but maintainers seem to be insisting that [it] shouldn't have my back...