cli [BUG] `npm update` generates package-lock.json that isn't considered in-sync by `npm ci`

Is there an existing issue for this?

[x] I have searched the existing issues

This issue exists in the latest npm version

[x] I am using the latest npm

Current Behavior

Take this package.json:

{
    "private": true,
    "name": "repro-app",
    "version": "1.0.0",
    "license": "UNLICENSED",
    "type": "module",
    "dependencies": {
        "@tanstack/react-start": "1.133.2",
        "@tanstack/nitro-v2-vite-plugin": "1.132.40"
    }
}

Running npm update and then npm ci shows following error:

npm error code EUSAGE
npm error
npm error `npm ci` can only install packages when your package.json and package-lock.json or npm-shrinkwrap.json are in sync. Please update your lock file with `npm install` before continuing.
npm error
npm error Missing: [email protected] from lock file
npm error Missing: [email protected] from lock file
npm error Missing: [email protected] from lock file

Git diff after running npm update:

diff --git a/package-lock.json b/package-lock.json
index adc1001..92601e6 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -3258,6 +3258,16 @@
                 "node": ">= 8"
             }
         },
+        "node_modules/crossws": {
+            "version": "0.3.5",
+            "resolved": "https://registry.npmjs.org/crossws/-/crossws-0.3.5.tgz",
+            "integrity": "sha512-ojKiDvcmByhwa8YYqbQI/hg7MEU0NC03+pSdEq4ZUnZR9xXpwk7E43SMNGkn+JxJGPFtNvQ48+vV2p+P1ml5PA==",
+            "license": "MIT",
+            "peer": true,
+            "dependencies": {
+                "uncrypto": "^0.1.3"
+            }
+        },
         "node_modules/css-select": {
             "version": "5.2.2",
             "resolved": "https://registry.npmjs.org/css-select/-/css-select-5.2.2.tgz",
@@ -4011,15 +4021,6 @@
             "integrity": "sha512-+W7VmiVINB+ywl1HGXJXmrqkOhpKrIiVZV6tQuV54ZyQC7MMuBt81Vc336GMLoHBq5hV/F9eXgt5Mnx0Rha5Fg==",
             "license": "MIT"
         },
-        "node_modules/h3/node_modules/crossws": {
-            "version": "0.3.5",
-            "resolved": "https://registry.npmjs.org/crossws/-/crossws-0.3.5.tgz",
-            "integrity": "sha512-ojKiDvcmByhwa8YYqbQI/hg7MEU0NC03+pSdEq4ZUnZR9xXpwk7E43SMNGkn+JxJGPFtNvQ48+vV2p+P1ml5PA==",
-            "license": "MIT",
-            "dependencies": {
-                "uncrypto": "^0.1.3"
-            }
-        },
         "node_modules/hasown": {
             "version": "2.0.2",
             "resolved": "https://registry.npmjs.org/hasown/-/hasown-2.0.2.tgz",
@@ -4554,15 +4555,6 @@
                 "listhen": "bin/listhen.mjs"
             }
         },
-        "node_modules/listhen/node_modules/crossws": {
-            "version": "0.3.5",
-            "resolved": "https://registry.npmjs.org/crossws/-/crossws-0.3.5.tgz",
-            "integrity": "sha512-ojKiDvcmByhwa8YYqbQI/hg7MEU0NC03+pSdEq4ZUnZR9xXpwk7E43SMNGkn+JxJGPFtNvQ48+vV2p+P1ml5PA==",
-            "license": "MIT",
-            "dependencies": {
-                "uncrypto": "^0.1.3"
-            }
-        },
         "node_modules/listhen/node_modules/pathe": {
             "version": "1.1.2",
             "resolved": "https://registry.npmjs.org/pathe/-/pathe-1.1.2.tgz",
@@ -4907,15 +4899,6 @@
                 "url": "https://paulmillr.com/funding/"
             }
         },
-        "node_modules/nitropack/node_modules/crossws": {
-            "version": "0.3.5",
-            "resolved": "https://registry.npmjs.org/crossws/-/crossws-0.3.5.tgz",
-            "integrity": "sha512-ojKiDvcmByhwa8YYqbQI/hg7MEU0NC03+pSdEq4ZUnZR9xXpwk7E43SMNGkn+JxJGPFtNvQ48+vV2p+P1ml5PA==",
-            "license": "MIT",
-            "dependencies": {
-                "uncrypto": "^0.1.3"
-            }
-        },
         "node_modules/nitropack/node_modules/readdirp": {
             "version": "4.1.2",
             "resolved": "https://registry.npmjs.org/readdirp/-/readdirp-4.1.2.tgz",

Expected Behavior

Running npm update should produce a lock file that is considered "in sync" by npm ci

Steps To Reproduce

Clone https://github.com/ulrichstark/unstable-npm-lock-file-repro.git
Run npm update
Run npm ci

Environment

npm: 11.6.2
Node.js: v24.10.0
OS Name: macOS Tahoe 26.0.1
System Model Name: Macbook Pro M4
npm config:

; node bin location = /Users/ulrichstark/.nvm/versions/node/v24.10.0/bin/node
; node version = v24.10.0
; npm local prefix = /Users/ulrichstark/Desktop/unstable-npm-lock-file-repro
; npm version = 11.6.2
; cwd = /Users/ulrichstark/Desktop/unstable-npm-lock-file-repro
; HOME = /Users/ulrichstark

Oct 15 '25 07:10 ulrichstark

I guess this is a duplicate of #8669

Oct 15 '25 10:10 DaSchTour

I guess this is a duplicate of #8669

I'm not sure. My issue is also present in 11.6.0 while your linked issue seems to have appeared first in 11.6.2.

Oct 15 '25 11:10 ulrichstark

Also #6787 sounds similar, but is about npm install and not about npm update

Oct 15 '25 11:10 ulrichstark

I also mentioned on https://github.com/npm/cli/issues/8669 that I had a similar issue at least in 11.6.1 not sure if it was also in 11.6.0 but the outcome looks very familiar

Oct 16 '25 12:10 DaSchTour

Please use npm >= 11.6.3 to generate package-lock and when installing in CI. See problems with lower versions.

Dec 08 '25 15:12 liamcmitchell

Please use npm >= 11.6.3 to generate package-lock and when installing in CI. See problems with lower versions.

Thanks, but the issue is still present even when using npm 11.6.4.

Dec 09 '25 07:12 ulrichstark