[BUG] `npm ci` validates `package-lock.json` that is generated with an older version of `npm` and fails to resolve

[irdkwmnsb]

Is there an existing issue for this?

• I have searched the existing issues

This issue exists in the latest npm version

• I am using the latest npm

Current Behavior

package-lock.json generated prior to 8.6.0 is generating package-locks that the new version cannot resolve:

npm ERR! code EUSAGE
npm ERR! 
npm ERR! `npm ci` can only install packages when your package.json and package-lock.json or npm-shrinkwrap.json are in sync. Please update your lock file with `npm install` before continuing.
npm ERR! 
npm ERR! Invalid: lock file's type-fest@0.21.3 does not satisfy type-fest@0.13.1
npm ERR! Missing: type-fest@0.21.3 from lock file
npm ERR! 
npm ERR! Clean install a project
npm ERR! 
npm ERR! Usage:
npm ERR! npm ci
npm ERR! 
npm ERR! Options:
npm ERR! [--no-audit] [--foreground-scripts] [--ignore-scripts]
npm ERR! [--script-shell <script-shell>]
npm ERR! 
npm ERR! aliases: clean-install, ic, install-clean, isntall-clean
npm ERR! 
npm ERR! Run "npm help ci" for more info

Common libraries like create-react-app use @ pmmmwh/react-refresh-webpack-plugin library which has a dependency of type-fest@0.13.1. Version of npm prior to 8.6.0 would not include type-fest@0.13.1 in the package-lock.json

After the 8.6.0 release, old package-locks would not work for installing dependencies with npm ci

Expected Behavior

npm ci should not fail with lockfiles generated by older version npm

Steps To Reproduce

See this commit tree for an example of a project with a lockfile that is valid for an old version of npm and not valid for new ones.

Run npm ci with npm version 8.6.0 or higher to get the error or see this github actions pipeline

Environment

• npm: 8.13.2
• Node.js: 16.15.1
• OS Name: ubuntu-latest
• System Model Name: Github actions runner

[irdkwmnsb]

Resolvement

Running npm i with a new version of npm and committing the relevant package-lock.json resolves this issue.

But if there was a bug in checking the dependency tree, shouldn't the users see a link to #5113 on how to resolve their issue when they encounter it?

Opening an issue here so other people that might encounter this exact issue can google it.

[eyalroth]

Happening for us too and currently breaking our CI builds on multiple repositories.

Edit:

Running npm i with a new version of npm and committing the relevant package-lock.json resolves this issue.

This workaround seems to work.

[mkesavan13]

Broke our CI builds too. Thanks @irdkwmnsb. Your workaround helped and have worked out for us too.

[wraithgar]

Please see pinned issue #5113

[irdkwmnsb]

Please see pinned issue #5113

@wraithgar
Why not include a link to that issue with the validation error?
I was only able to find the issue because I wanted to file a bug report, which most developers won't be doing.