Your package-lock.json should always match and resolve all packages from your package.json.
Coming from Yarn, I was looking for an option like Yarn's --frozen-lockfile which validates that. Here is what seems to be the way to do it.
Using npm clean-install
Running npm clean-install instead of npm install will actually validate that your package-lock.json matches your package.json.
You can use npm ci as a shortcut for npm clean-install.
Combine with a cache
The idea of a "clean install" is that it always installs from scratch and thus ignores any existing cache or the --cache flag.
If you want to use a cache (e.g. on CI), but also validate the lock file (because you wouldn't notice if CI installs packages not included in your package-lock.json), you can do that by combining both clean-install and install, and ask clean-install to not actually install anything:
npm clean-install --dry-run && npm install --cache=path/to/cache
Note that npm clean-install could be considered the only command necessary to install packages in CI. However that always downloads all packages on each CI run, and that really should not be necessary. Using a cache is perfectly fine.
