Improve handling of missing integrity hashes in package-lock.json

[mweinelt]

Problem

Due to what is probably a bug in npm¹, lots of package-lock.json files lack the resolved URLs as well as integrity hashes for packages pinned in it.

This creates a problem for our current npm build infrastructure, that relies on a cache-only policy to ensure reproducibility.

Reproducer

One example² that breaks on this scenario is bokehjs, the javascript bits of bokeh:

bokehjs> npm ERR! code ENOTCACHED
bokehjs> npm ERR! request to https://registry.npmjs.org/p-map failed: cache mode is 'only-if-cached' but no cached response is available.

This can be reproduced by building python3.pkgs.bokeh.bokehjs in #215406.

Prior art

With the rust fetcher there is an issue, where cargo lock files don't contain hashes for git dependencies. In that case hashes will be embedded into the derivation in an attribute set cargoLock.outputHashes that maps from <package>-<version> to hash.

Something similar could be implemented for the npm fetcher.

[1] npm/cli#4460
[2] https://github.com/bokeh/bokeh/blob/91f0c3c9b04da751094642790511593fae41533d/bokehjs/package-lock.json#L101-L114

[felschr]

Additional related upstream issues: npm/cli#4263 npm/cli#6301