fix(npm): ignore scripts even for package lock only

lib/manager/npm/post-update/__snapshots__/lerna.spec.ts.snap

@@ -3,7 +3,7 @@
 exports[`generateLockFiles() allows scripts for trust level high 1`] = `
 Array [
   Object {
-    "cmd": "npm install --package-lock-only --no-audit",
+    "cmd": "npm install  --no-audit --package-lock-only",
     "options": Object {
       "cwd": "some-dir",
       "encoding": "utf-8",
@@ -20,7 +20,7 @@ Array [
     },
   },
   Object {
-    "cmd": "npx lerna@latest bootstrap --no-ci -- --package-lock-only --no-audit",
+    "cmd": "npx lerna@latest bootstrap --no-ci --  --no-audit --package-lock-only",
     "options": Object {
       "cwd": "some-dir",
       "encoding": "utf-8",
@@ -42,7 +42,7 @@ Array [
 exports[`generateLockFiles() defaults to latest 1`] = `
 Array [
   Object {
-    "cmd": "npm install --package-lock-only --no-audit",
+    "cmd": "npm install --ignore-scripts  --no-audit --package-lock-only",
     "options": Object {
       "cwd": "some-dir",
       "encoding": "utf-8",
@@ -59,7 +59,7 @@ Array [
     },
   },
   Object {
-    "cmd": "npx lerna@latest bootstrap --no-ci -- --package-lock-only --no-audit",
+    "cmd": "npx lerna@latest bootstrap --no-ci -- --ignore-scripts  --no-audit --package-lock-only",
     "options": Object {
       "cwd": "some-dir",
       "encoding": "utf-8",
@@ -81,7 +81,7 @@ Array [
 exports[`generateLockFiles() generates package-lock.json files 1`] = `
 Array [
   Object {
-    "cmd": "npm install --package-lock-only --no-audit",
+    "cmd": "npm install --ignore-scripts  --no-audit --package-lock-only",
     "options": Object {
       "cwd": "some-dir",
       "encoding": "utf-8",
@@ -98,7 +98,7 @@ Array [
     },
   },
   Object {
-    "cmd": "npx lerna@2.0.0 bootstrap --no-ci -- --package-lock-only --no-audit",
+    "cmd": "npx lerna@2.0.0 bootstrap --no-ci -- --ignore-scripts  --no-audit --package-lock-only",
     "options": Object {
       "cwd": "some-dir",
       "encoding": "utf-8",
@@ -159,7 +159,7 @@ Array [
 exports[`generateLockFiles() maps dot files 1`] = `
 Array [
   Object {
-    "cmd": "npm install --package-lock-only --no-audit",
+    "cmd": "npm install --ignore-scripts  --no-audit --package-lock-only",
     "options": Object {
       "cwd": "some-dir",
       "encoding": "utf-8",
@@ -176,7 +176,7 @@ Array [
     },
   },
   Object {
-    "cmd": "npx lerna@latest bootstrap --no-ci -- --package-lock-only --no-audit",
+    "cmd": "npx lerna@latest bootstrap --no-ci -- --ignore-scripts  --no-audit --package-lock-only",
     "options": Object {
       "cwd": "some-dir",
       "encoding": "utf-8",

lib/manager/npm/post-update/__snapshots__/npm.spec.ts.snap

@@ -48,7 +48,7 @@ exports[`generateLockFile performs full install 1`] = `Array []`;
 exports[`generateLockFile performs lock file updates 1`] = `
 Array [
   Object {
-    "cmd": "npm install --package-lock-only --no-audit some-dep@1.0.1",
+    "cmd": "npm install --package-lock-only --ignore-scripts --no-audit some-dep@1.0.1",
     "options": Object {
       "cwd": "some-dir",
       "encoding": "utf-8",

lib/manager/npm/post-update/lerna.ts

@@ -36,10 +36,9 @@ export async function generateLockFiles(
       }
       cmdOptions = '--ignore-scripts --ignore-engines --ignore-platform';
     } else if (lernaClient === 'npm') {
-      if (skipInstalls === false) {
       cmdOptions = '--ignore-scripts  --no-audit';
-      } else {
-        cmdOptions = '--package-lock-only --no-audit';
+      if (skipInstalls !== false) {
+        cmdOptions += ' --package-lock-only';
       }
     } else {
       logger.warn({ lernaClient }, 'Unknown lernaClient');

lib/manager/npm/post-update/npm.ts

@@ -35,7 +35,7 @@ export async function generateLockFile(
       cmdOptions += '--ignore-scripts --no-audit';
     } else {
       logger.debug('Updating lock file only');
-      cmdOptions += '--package-lock-only --no-audit';
+      cmdOptions += '--package-lock-only --ignore-scripts --no-audit';
     }
     const tagConstraint = await getNodeConstraint(config);
     const execOptions: ExecOptions = {