Consider providing an npm-lock file before installing html-validate

[sarahelsaig]

A followup to the discussion in Lombiq/UI-Testing-Toolbox#327 (comment).

As a reminder, the idea is that if the HtmlValidatePackageVersion is not changed, a prepared lock file may be copied into the working directory before the NPM install is called.

[YevgeniyShunevych]

Basically, I'm OK with the idea. But I have an issue with package-lock.json in global install mode. It seems like npm just ignores package-lock.json when I do something like npm install -g [email protected] --save-exact and have a particular package-lock.json in the working directory. So it just installs the latest version of dependecy. On the other hand, npm install [email protected] --save-exact (without -g) respects the dependency versions from package-lock.json, and I see correct dependency version in node_modules. But anyway, we need global installation. Perhaps some npm arguments needed or something else, but I didn't have luck so far. Maybe you @sarahelsaig have more experience with npm, and can help resolve that?

[sarahelsaig]

You are right, package locks are not respected for global installs. Though I wonder if having both global installation and a version selector won't cause conflicts if a project actually sets it to a non-default value anyway. Without version selectors we could carry a zip of the default version and copy it into the "$(npm config get prefix)\node_modules" path. Without global we could just use a package lock.

I also heard that npm-shrinkwrap should work since that's the portable version, but it looks like they intentionally don't support it. It may be possible to navigate to the prefix directory, move the lock file there and install a package as if it was a local target, but then it acts as if all the dependencies were globally installed too so that's very messy.