Is there an existing issue for this?

• I have searched the existing issues

This issue exists in the latest npm version

• I am using the latest npm

Current Behavior

In order to assure reproducible installations, every package listed in a package-lock.json which is fetched from a registry should contain a resolved and integrity field.

This doesn't seem to be the case looking at some existing lockfileVersion = 2 based file.
See for example: https://raw.githubusercontent.com/directus/directus/2938821be05eaf195872c34eed709ac9b4a430b4/package-lock.json

Inspecting the entries for [email protected] (and many others), neither resolved nor integrity exist.

Checking out the repository and executing npm install happily installs [email protected] while:

• not complaining about the missing integrity
• not adding the missing information to the package-lock.json file

To fix the lock file, one currently has to:

• delete all node_modules directories
• delete the package-lock.json file
• execute npm install

Expected Behavior

• When the integrity field is missing for a package, a warning/error should be shown to the user
  (the problem should be of equivalent importance than a mismatching integrity)
• The broken package-lock.json file should be repaired somehow
  (not necessarily automatically, but the user should be informed about the problem and instructed on how to fix it)

Steps To Reproduce

> git clone https://github.com/directus/directus
> cd directus
> git checkout 2938821be05eaf195872c34eed709ac9b4a430b4
> npm install

lock file is still broken (check entry [email protected])

Environment

• npm: 8.5.1
• Node.js: v16.14.0
• OS Name: docker node:16
• npm config:

; node bin location = /usr/local/bin/node
; cwd = /
; HOME = /root
; Run `npm config ls -l` to show all defaults.