1 files changed, 52 insertions, 18 deletions

diff --git a/deps/npm/lib/install/read-shrinkwrap.js b/deps/npm/lib/install/read-shrinkwrap.js
index 3453e3192f..913c303482 100644
--- a/deps/npm/lib/install/read-shrinkwrap.js
+++ b/deps/npm/lib/install/read-shrinkwrap.js
@@ -1,25 +1,59 @@
 'use strict'
-var path = require('path')
-var fs = require('graceful-fs')
-var iferr = require('iferr')
-var inflateShrinkwrap = require('./inflate-shrinkwrap.js')
-var parseJSON = require('../utils/parse-json.js')
 
-var readShrinkwrap = module.exports = function (child, next) {
+const BB = require('bluebird')
+
+const fs = require('graceful-fs')
+const iferr = require('iferr')
+const inflateShrinkwrap = require('./inflate-shrinkwrap.js')
+const log = require('npmlog')
+const parseJSON = require('../utils/parse-json.js')
+const path = require('path')
+const PKGLOCK_VERSION = require('../npm.js').lockfileVersion
+const pkgSri = require('../utils/package-integrity.js')
+
+const readFileAsync = BB.promisify(fs.readFile)
+
+module.exports = readShrinkwrap
+function readShrinkwrap (child, next) {
   if (child.package._shrinkwrap) return process.nextTick(next)
-  fs.readFile(path.join(child.path, 'npm-shrinkwrap.json'), function (er, data) {
-    if (er) {
-      child.package._shrinkwrap = null
-      return next()
+  BB.join(
+    maybeReadFile('npm-shrinkwrap.json', child),
+    // Don't read non-root lockfiles
+    child.isTop && maybeReadFile('package-lock.json', child),
+    child.isTop && maybeReadFile('package.json', child),
+    (shrinkwrap, lockfile, pkgJson) => {
+      if (shrinkwrap && lockfile) {
+        log.warn('read-shrinkwrap', 'Ignoring package-lock.json because there is already an npm-shrinkwrap.json. Please use only one of the two.')
+      }
+      const name = shrinkwrap ? 'npm-shrinkwrap.json' : 'package-lock.json'
+      let parsed = null
+      if (shrinkwrap || lockfile) {
+        try {
+          parsed = parseJSON(shrinkwrap || lockfile)
+        } catch (ex) {
+          throw ex
+        }
+      }
+      if (
+        pkgJson &&
+        parsed &&
+        parsed.packageIntegrity &&
+        !pkgSri.check(JSON.parse(pkgJson), parsed.packageIntegrity)
+      ) {
+        log.info('read-shrinkwrap', `${name} will be updated because package.json does not match what it was generated against.`)
+      }
+      if (parsed && parsed.lockfileVersion !== PKGLOCK_VERSION) {
+        log.warn('read-shrinkwrap', `This version of npm is compatible with lockfileVersion@${PKGLOCK_VERSION}, but ${name} was generated for lockfileVersion@${parsed.lockfileVersion || 0}. I'll try to do my best with it!`)
+      }
+      child.package._shrinkwrap = parsed
     }
-    try {
-      child.package._shrinkwrap = parseJSON(data)
-    } catch (ex) {
-      child.package._shrinkwrap = null
-      return next(ex)
-    }
-    return next()
-  })
+  ).then(() => next(), next)
+}
+
+function maybeReadFile (name, child) {
+  return readFileAsync(
+    path.join(child.path, name)
+  ).catch({code: 'ENOENT'}, () => null)
 }
 
 module.exports.andInflate = function (child, next) {