cli icon indicating copy to clipboard operation
cli copied to clipboard
verified publisher icon npm

[BUG] npm ci fails with newer versions of npm

Open TheRealWaldo opened this issue 1 month ago • 11 comments

Is there an existing issue for this?

  • [x] I have searched the existing issues

This issue exists in the latest npm version

  • [x] I am using the latest npm

Current Behavior

I haven't been able to install 11.6.3, but 11.6.2, when running npm ci on an extremely simple package.json (and generating a branch new package-lock.json) it fails with:

npm error `npm ci` can only install packages when your package.json and package-lock.json or npm-shrinkwrap.json are in sync. Please update your lock file with `npm install` before continuing.
npm error
npm error Missing: [email protected] from lock file
npm error Missing: [email protected] from lock file
npm error Missing: @npmcli/[email protected] from lock file
npm error Missing: [email protected] from lock file
npm error Missing: [email protected] from lock file
npm error Missing: [email protected] from lock file
npm error Missing: [email protected] from lock file

Expected Behavior

npm ci should install the packages that are listed in the package.json and package-lock.json

Steps To Reproduce

Create a simple package.json, run npm install, then run npm ci.

Environment

  • npm: 11.6.2
  • Node.js: 24.11.1
  • OS Name: Amazon Linux 2023/Debian
  • System Model Name: Mac OSX
  • npm config:
; "project" config from /workspaces/knowbot/.npmrc
 
@r3c-engineering:registry = "[https://npm.pkg.github.com/"](https://npm.pkg.github.com/%22)
//npm.pkg.github.com/:_authToken = (protected)
registry = "[https://registry.npmjs.org/"](https://registry.npmjs.org/%22)
 
; node bin location = /home/devuser/.nvm/versions/node/v24.11.1/bin/node
; node version = v24.11.1
; npm local prefix = /workspaces/knowbot
; npm version = 11.6.2
; cwd = /workspaces/knowbot
; HOME = /home/devuser
; Run `npm config ls -l` to show all defaults.

TheRealWaldo avatar Nov 21 '25 01:11 TheRealWaldo

Could this be related to https://github.com/npm/cli/issues/8726?

TheRealWaldo avatar Nov 21 '25 01:11 TheRealWaldo

Earlier issue (closed by the poster): #8669 - this broke in 11.6.2.

There's also #8674

dominykas avatar Nov 21 '25 08:11 dominykas

We had this problem as well. We are using @semantic-release/npm in our devDependencies, which in turn uses npm@^11.6.2 as dependency. As long as [email protected] was in the lock-file, everything was fine, but npm@11. 6.3 now uses nopt@9 instead of [email protected].

I don't know exactly what's going wrong here, but fix could fix the problem by adding this to our package.json:

"overrides": {
    "@semantic-release/npm": {
      "npm": "11.6.2"
    },
  }

nknapp avatar Nov 21 '25 10:11 nknapp

Can confirm - npm ci was breaking in our pipeline - npm was updated to 11.6.3 with the name nopt showing multiple in the package-lock.json

Image

Rolling back to 11.6.0 worked for us

tanepiper avatar Nov 21 '25 11:11 tanepiper

To those who have semantic-release in their dependencies:

I was able to fix this issue by uninstalling all devDependencies related to semantic-release (thanks to semantic-release/semantic-release#3951).

According to the updated semantic-release documentation, it’s now recommended not to install semantic-release locally at all. Since it’s a release-time dependency rather than a development dependency, they suggest installing it globally in the CI environment or using npx during the release step.

After removing the local devDependencies npm uninstall semantic-release @semantic-release/git @semantic-release/github, and re-running npm i then npm ci the issue was resolved for me.

kherzieandal avatar Nov 22 '25 14:11 kherzieandal

@kherzieandal The reason I want it in my lockfile is so that I get a locked version for supply chain attacks.

fardarter avatar Nov 24 '25 13:11 fardarter

https://github.com/semantic-release/semantic-release/discussions/3955

SchroederSteffen avatar Nov 24 '25 15:11 SchroederSteffen

Confirming, for security and compliance reasons we must keep dependencies pinned (by hashed ref). Any changes have to be scanned and human reviewed before the pins are updated, and this is a process that is already automated.

Further, our CI is ephemeral, and root/global level changes are forbidden.

Switching to an unpinned global install will not fly.

TheRealWaldo avatar Nov 24 '25 18:11 TheRealWaldo

Also a note; this is not only related to semantic-release. npm ci is failing in several respects.

https://github.com/npm/cli/issues/8777 https://github.com/npm/cli/issues/8726 https://github.com/npm/cli/issues/7622 https://github.com/npm/cli/issues/8758 https://github.com/npm/cli/issues/8693 https://github.com/npm/cli/issues/8740 https://github.com/npm/cli/issues/8669

TheRealWaldo avatar Nov 25 '25 17:11 TheRealWaldo

Please use npm >= 11.6.3 to generate package-lock and when installing in CI. See problems with lower versions.

liamcmitchell avatar Dec 08 '25 15:12 liamcmitchell

The issue remains with 11.6.3. others have reported the same.

TheRealWaldo avatar Dec 09 '25 02:12 TheRealWaldo