npm prune creates package-lock.json file

[watson]

I'm opening this issue because:

• npm is crashing.
• npm is producing an incorrect install.
• npm is doing something I don't understand.
• Other (see below for feature requests):

What's going wrong?

A package-lock.json file is created if you run npm prune in a directory that doesn't have one already.

This is what it will look like if there is no package.json and no modules installed in the directory:

{
  "lockfileVersion": 1
}

This is what it will look like if there is a package.json in the same directory, but npm install have not yet been run:

{
  "name": "foo",
  "version": "1.0.0",
  "lockfileVersion": 1
}

If modules are already installed in a node_modules folder those will be listed in the package-lock.json file as well - no matter if there is a local package.json file listing those dependencies or not.

How can the CLI team reproduce the problem?

1. Go to a directory without a package-lock.json file, e.g: cd /tmp && mkdir foo && cd foo
2. Run npm prune
3. Check to see if a package-lock.json file have been created

supporting information:

• npm -v prints: 5.0.3
• node -v prints: v8.0.0
• npm config get registry prints: https://registry.npmjs.org/
• Windows, OS X/macOS, or Linux?: macOS 10.12.5

This issue is related to #17061