是否有工具可以验证/检查 package.json 和 package-lock.json 是否一致？

Question

Sometimes people change package.json and forget to run npm i which will update package-lock.json , or package.json and package-lock.json are otherwise out of sync. This is an assumption not to be discussed/questioned here. I am looking for a tool that helps detect such cases.

Do you know of an npm feature or third-party tool that can sanity-check package-lock.json ? For example, it should resolve all transitive dependencies, and check that they all are mentioned in the lock file with a version in the correct semver range. It should tell whether it would make sense to run npm i in order to update your lockfile, or also whether npm ci would get you all the dependencies required as defined in package.json (accounting for transitivity).

I thought that npm --loglevel verbose install --dry-run would be a reasonable candidate, but its output does not mention what it would do to package-lock.json in case it would be run without --dry-run . Of course one option would be to run npm i and then git diff package-lock.json (or similar), but that's dirty.

Answer 1

npm ls --depth 1 does these checks:

for example, this is the output:

+-- UNMET DEPENDENCY fastify@^2.0.0
+-- foo@0.0.7 extraneous
`-- got@10.3.0
  +-- @sindresorhus/is@1.2.0
  +-- @szmarczak/http-timer@4.0.0
  +-- @types/cacheable-request@6.0.1
  +-- cacheable-lookup@0.2.2
  +-- cacheable-request@7.0.1
  +-- decompress-response@5.0.0
  +-- duplexer3@0.1.4
  +-- get-stream@5.1.0
  +-- lowercase-keys@2.0.0
  +-- mimic-response@2.0.0
  +-- p-cancelable@2.0.0
  +-- responselike@2.0.0
  +-- to-readable-stream@2.1.0
  `-- type-fest@0.9.0

npm ERR! missing: fastify@^2.0.0, required by asd@1.0.0
npm ERR! extraneous: foo@0.0.7

I get this doing:

npm init --yes
npm i got
npm i foo
// removed foo manually from package json
// added fastify manually to package json