Check for outdated package-lock.json

[Sinclert]

There are cases where an outdated package-lock.json could be mistakenly pushed, making GitHub Actions CI to successfully run the validations, while our local environment fails.

This may happen while debugging, as different versions of the package.json specified packages could be installed locally (therefore updating both package.json and package-lock.json files), before manually changing package.json back to its original specification.

The script could rely on:

• npm install --package-lock-only option.
• git diff --exit-code option.

[Sinclert]

Turns out checking for the package-lock.json file to be out of sync with respect to the package.json is something already promised for the npm ci command to do:

If dependencies in the package lock do not match those in package.json, npm ci will exit with an error, instead of updating the package lock.

However, npm ci versions 7 and 8 (prior to 8.4.1) contain a bug so that package-lock.json inconsistencies are not properly alert about. More information can be found in:

• The tracking issue.
• The fixing PR.