[BUG] npm update generates package-lock.json that isn't considered in-sync by npm ci #8674
Description
Is there an existing issue for this?
- I have searched the existing issues
This issue exists in the latest npm version
- I am using the latest npm
Current Behavior
Take this package.json:
{
"private": true,
"name": "repro-app",
"version": "1.0.0",
"license": "UNLICENSED",
"type": "module",
"dependencies": {
"@tanstack/react-start": "1.133.2",
"@tanstack/nitro-v2-vite-plugin": "1.132.40"
}
}Running npm update and then npm ci shows following error:
npm error code EUSAGE
npm error
npm error `npm ci` can only install packages when your package.json and package-lock.json or npm-shrinkwrap.json are in sync. Please update your lock file with `npm install` before continuing.
npm error
npm error Missing: [email protected] from lock file
npm error Missing: [email protected] from lock file
npm error Missing: [email protected] from lock file
Git diff after running npm update:
diff --git a/package-lock.json b/package-lock.json
index adc1001..92601e6 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -3258,6 +3258,16 @@
"node": ">= 8"
}
},
+ "node_modules/crossws": {
+ "version": "0.3.5",
+ "resolved": "https://registry.npmjs.org/crossws/-/crossws-0.3.5.tgz",
+ "integrity": "sha512-ojKiDvcmByhwa8YYqbQI/hg7MEU0NC03+pSdEq4ZUnZR9xXpwk7E43SMNGkn+JxJGPFtNvQ48+vV2p+P1ml5PA==",
+ "license": "MIT",
+ "peer": true,
+ "dependencies": {
+ "uncrypto": "^0.1.3"
+ }
+ },
"node_modules/css-select": {
"version": "5.2.2",
"resolved": "https://registry.npmjs.org/css-select/-/css-select-5.2.2.tgz",
@@ -4011,15 +4021,6 @@
"integrity": "sha512-+W7VmiVINB+ywl1HGXJXmrqkOhpKrIiVZV6tQuV54ZyQC7MMuBt81Vc336GMLoHBq5hV/F9eXgt5Mnx0Rha5Fg==",
"license": "MIT"
},
- "node_modules/h3/node_modules/crossws": {
- "version": "0.3.5",
- "resolved": "https://registry.npmjs.org/crossws/-/crossws-0.3.5.tgz",
- "integrity": "sha512-ojKiDvcmByhwa8YYqbQI/hg7MEU0NC03+pSdEq4ZUnZR9xXpwk7E43SMNGkn+JxJGPFtNvQ48+vV2p+P1ml5PA==",
- "license": "MIT",
- "dependencies": {
- "uncrypto": "^0.1.3"
- }
- },
"node_modules/hasown": {
"version": "2.0.2",
"resolved": "https://registry.npmjs.org/hasown/-/hasown-2.0.2.tgz",
@@ -4554,15 +4555,6 @@
"listhen": "bin/listhen.mjs"
}
},
- "node_modules/listhen/node_modules/crossws": {
- "version": "0.3.5",
- "resolved": "https://registry.npmjs.org/crossws/-/crossws-0.3.5.tgz",
- "integrity": "sha512-ojKiDvcmByhwa8YYqbQI/hg7MEU0NC03+pSdEq4ZUnZR9xXpwk7E43SMNGkn+JxJGPFtNvQ48+vV2p+P1ml5PA==",
- "license": "MIT",
- "dependencies": {
- "uncrypto": "^0.1.3"
- }
- },
"node_modules/listhen/node_modules/pathe": {
"version": "1.1.2",
"resolved": "https://registry.npmjs.org/pathe/-/pathe-1.1.2.tgz",
@@ -4907,15 +4899,6 @@
"url": "https://paulmillr.com/funding/"
}
},
- "node_modules/nitropack/node_modules/crossws": {
- "version": "0.3.5",
- "resolved": "https://registry.npmjs.org/crossws/-/crossws-0.3.5.tgz",
- "integrity": "sha512-ojKiDvcmByhwa8YYqbQI/hg7MEU0NC03+pSdEq4ZUnZR9xXpwk7E43SMNGkn+JxJGPFtNvQ48+vV2p+P1ml5PA==",
- "license": "MIT",
- "dependencies": {
- "uncrypto": "^0.1.3"
- }
- },
"node_modules/nitropack/node_modules/readdirp": {
"version": "4.1.2",
"resolved": "https://registry.npmjs.org/readdirp/-/readdirp-4.1.2.tgz",Expected Behavior
Running npm update should produce a lock file that is considered "in sync" by npm ci
Steps To Reproduce
- Clone
https://github.com/ulrichstark/unstable-npm-lock-file-repro.git - Run
npm update - Run
npm ci
Environment
- npm: 11.6.2
- Node.js: v24.10.0
- OS Name: macOS Tahoe 26.0.1
- System Model Name: Macbook Pro M4
- npm config:
; node bin location = /Users/ulrichstark/.nvm/versions/node/v24.10.0/bin/node
; node version = v24.10.0
; npm local prefix = /Users/ulrichstark/Desktop/unstable-npm-lock-file-repro
; npm version = 11.6.2
; cwd = /Users/ulrichstark/Desktop/unstable-npm-lock-file-repro
; HOME = /Users/ulrichstark