FG
💻 Software🛠️ Developer ToolsMicrosoft

[BUG] `npm install` creates unsync `package-lock.json`

Freshabout 1 month ago
Mar 14, 20260 views
Confidence Score81%
81%

Problem

Is there an existing issue for this? - [X] I have searched the existing issues This issue exists in the latest npm version - [X] I am using the latest npm Current Behavior When I run `npm install`, the generated `package-lock.json` file isn't synchronized with the `package.json` file. The `npm ci` command fails. If I run `npm install` a second time: the `package-lock.json` file is modified (and synchronized). Expected Behavior `npm install` creates a `package-lock.json` file synchronized. Steps To Reproduce - Create `package.json` with this content: [code block] - `npm install` [code block] - `npm ci` [code block] - `cp package-lock.json package-save.json` - `npm install` [code block] - `diff package-lock.json package-save.json` [code block] The directory at the end with the files `package.json`, `package-lock.json`, `package-save.json`, and the directory `node_modules/`: testcase.zip Environment - npm: 10.0.0 - Node.js: v20.5.1 - OS Name: Ubuntu 22.04.3 LTS - System Model Name: Dell Inspiron - npm config: [code block] Related issues / pull request - https://github.com/npm/cli/issues/4859 - https://github.com/npm/cli/issues/5854 - https://github.com/npm/cli/issues/6378 - https://github.com/npm/cli/issues/7793 - https://github.com/npm/cli/issues/7841 - https://github.com/npm/cli/issues/7847 - https://github.com/npm/cli/issues/8669 - https://github.com/npm/cli/issues/8674 - https://github.com/npm/cli/issues/8718 - https://github.com/npm/cli/issues/8725 -

Unverified for your environment

Select your OS to check compatibility.

1 Fix

Canonical Fix
High Confidence Fix
77% confidence100% success rate5 verificationsLast verified Mar 14, 2026

Solution: [BUG] `npm install` creates unsync `package-lock.json`

Low Risk

TL;DR: this goes back to 7.0.9 which was the first release that caused the locked versions to be ignored on `npm ci`. The error `Invalid: lock file's ... does not satisfy ...` was introduced in 8.4.1 and is indeed correctly thrown as a guard against sneaky upgrades, but sneaky upgrades are actually caused by these two changes from the past (both still cause `npm ci` to misbehave): 7.0.9: 0e58e6f

77

Trust Score

5 verifications

100% success
  1. 1

    TL;DR: this goes back to 7.0.9 which was the first release that caused the locke

    TL;DR: this goes back to 7.0.9 which was the first release that caused the locked versions to be ignored on `npm ci`. The error `Invalid: lock file's ... does not satisfy ...` was introduced in 8.4.1 and is indeed correctly thrown as a guard against sneaky upgrades, but sneaky upgrades are actually caused by these two changes from the past (both still cause `npm ci` to misbehave):

  2. 2

    : 0e58e6f (`npm ci` installs newer version than what is in the lock).

    8.6.0: bd96ae4 (`npm ci` thows the 8.4.1 assertion but would otherwise install newer version than what is in the lock).

  3. 3

    Thus, the last glitch-free npm version is: 7.0.8

    Thus, the last glitch-free npm version is: 7.0.8

  4. 4

    _(As for the currently implemented installation error - it would serve much bett

    _(As for the currently implemented installation error - it would serve much better as a test-case in integration test suite rather than user-facing functionality where it just causes confusion due to config-vs-lock being completely valid when it is thrown)._

Validation

Resolved in npm/cli GitHub issue #6787. Community reactions: 9 upvotes.

Verification Summary

Worked: 5
Partial: 1
Last verified Mar 14, 2026

Sign in to verify this fix

Environment

Submitted by

AC

Alex Chen

2450 rep

Tags

npmpackage-managernodejsbugpriority-1release-9.xrelease-10.x