[BUG] npm ci requires yarn.lock to be writeable if it is present, even though it should not write to any lock files

[derekpiasecki]

Is there an existing issue for this?

• I have searched the existing issues

This issue exists in the latest npm version

• I am using the latest npm

Current Behavior

When I run npm ci and a yarn.lock file is present and is read-only, it fails due to requesting write permission it does not need:

npm ERR! code EPERM
npm ERR! syscall open
npm ERR! path C:\git\mytestproject\yarn.lock
npm ERR! errno -4048
npm ERR! Error: EPERM: operation not permitted, open 'C:\git\mytestproject\yarn.lock'
npm ERR!  [Error: EPERM: operation not permitted, open 'C:\git\mytestproject\yarn.lock'] {
npm ERR!   errno: -4048,
npm ERR!   code: 'EPERM',
npm ERR!   syscall: 'open',
npm ERR!   path: 'C:\\git\\mytestproject\\yarn.lock'
npm ERR! }
npm ERR!
npm ERR! The operation was rejected by your operating system.
npm ERR! It's possible that the file was already in use (by a text editor or antivirus),
npm ERR! or that you lack permissions to access it.
npm ERR!
npm ERR! If you believe this might be a permissions issue, please double-check the
npm ERR! permissions of the file and its containing directories, or try running
npm ERR! the command again as root/Administrator.

npm ERR! A complete log of this run can be found in:
npm ERR!     C:\Users\myusername\AppData\Local\npm-cache\_logs\2022-08-17T18_25_43_640Z-debug-0.log

Expected Behavior

Running npm ci should not request write access when opening yarn.lock, since it is only reading the file.

Steps To Reproduce

1. In an environment with a recent NPM (found on 8.1.2 and 8.4.1, then updated to latest 8.17.0 to confirm)
2. With a yarn.lock file present and marked as read-only
3. Run npm ci
4. Observe error npm ERR! Error: EPERM: operation not permitted, open '<path>\yarn.lock'

Environment

• npm: 8.17.0
• Node.js: v16.14.0
• OS Name: Windows 10 version 21H2
• System Model Name: Dell
• npm config:

; "builtin" config from C:\Users\myusername\AppData\Roaming\npm\node_modules\npm\npmrc

prefix = "C:\\Users\\myusername\\AppData\\Roaming\\npm"

; "user" config from C:\Users\myusername\.npmrc

@isi-itp:registry = "https://npm.pkg.github.com/"
//npm.pkg.github.com/:_authToken = (protected)
enableStrictSsl = false
msvs_version = "2019"
strict-ssl = false

; node bin location = C:\Program Files\nodejs\node.exe
; cwd = C:\git\mytestproject
; HOME = C:\Users\myusername
; Run `npm config ls -l` to show all defaults.

[wraithgar]

Closing as duplicate of #5126

Adding a comment there that npm ci is also definitely affected.

[derekpiasecki]

Although it is reasonable to combine this with #5126, I want to be clear that this issue is not about actual modifications to yarn.lock, but rather the requirement that yarn.lock be writeable even though it does not get changed by npm ci.