[BUG] npm ci > 11.6.1 fails with architecture-related packages on lockfiles <= 11.6.1 #8805
Description
Is there an existing issue for this?
- I have searched the existing issues
This issue exists in the latest npm version
- I am using the latest npm
Current Behavior
Running npm ci with npm v11.6.1 works fine.
With npm 11.6.2 and 11.6.4, npm ci fails with the below errors - note it's only packages with optional architecture-specific versions that are producing errors:
npm error
npm error `npm ci` can only install packages when your package.json and package-lock.json or npm-shrinkwrap.json are in sync. Please update your lock file with `npm install` before continuing.
npm error
npm error Missing: [email protected] from lock file
npm error Missing: @esbuild/[email protected] from lock file
npm error Missing: @esbuild/[email protected] from lock file
npm error Missing: @esbuild/[email protected] from lock file
npm error Missing: @esbuild/[email protected] from lock file
npm error Missing: @esbuild/[email protected] from lock file
npm error Missing: @esbuild/[email protected] from lock file
npm error Missing: @esbuild/[email protected] from lock file
npm error Missing: @esbuild/[email protected] from lock file
npm error Missing: @esbuild/[email protected] from lock file
npm error Missing: @esbuild/[email protected] from lock file
npm error Missing: @esbuild/[email protected] from lock file
npm error Missing: @esbuild/[email protected] from lock file
npm error Missing: @esbuild/[email protected] from lock file
npm error Missing: @esbuild/[email protected] from lock file
npm error Missing: @esbuild/[email protected] from lock file
npm error Missing: @esbuild/[email protected] from lock file
npm error Missing: @esbuild/[email protected] from lock file
npm error Missing: @esbuild/[email protected] from lock file
npm error Missing: @esbuild/[email protected] from lock file
npm error Missing: @esbuild/[email protected] from lock file
npm error Missing: @esbuild/[email protected] from lock file
npm error Missing: @esbuild/[email protected] from lock file
npm error Missing: @rollup/[email protected] from lock file
npm error Missing: @rollup/[email protected] from lock file
npm error Missing: @rollup/[email protected] from lock file
npm error Missing: @rollup/[email protected] from lock file
npm error Missing: @rollup/[email protected] from lock file
npm error Missing: @rollup/[email protected] from lock file
npm error Missing: @rollup/[email protected] from lock file
npm error Missing: @rollup/[email protected] from lock file
npm error Missing: @rollup/[email protected] from lock file
npm error Missing: @rollup/[email protected] from lock file
npm error Missing: @rollup/[email protected] from lock file
npm error Missing: @rollup/[email protected] from lock file
npm error Missing: @rollup/[email protected] from lock file
npm error Missing: @rollup/[email protected] from lock file
Expected Behavior
I expected npm ci to just install the packages as it always did with v11.6.1 and earlier.
Steps To Reproduce
It seems since 11.6.2, npm fails if these optional: true packages are missing from the lock file, but npm 11.6.1 and earlier never added them to the lock file.
This may be the same as #8669 and/or related to #8726 but I'm not familiar enough with NPM to make that call (specifically whether it's architecture related or optional-dependency related). So please close as a duplicate if it's already covered by one of these.
Deleting package-lock.json from 11.6.1 and recreating it with 11.6.4 allows npm ci to run with 11.6.4. In this case, the package-lock.json created with 11.6.4 gets new stuff added to it that was not there in 11.6.1:
+ "node_modules/@esbuild/aix-ppc64": {
+ "version": "0.21.5",
+ "resolved": "https://registry.npmjs.org/@esbuild/aix-ppc64/-/aix-ppc64-0.21.5.tgz",
+ "integrity": "sha512-1SDgH6ZSPTlggy1yI6+Dbkiz8xzpHJEVAlF/AM1tHPLsf5STom9rwtjE4hKAF20FfXXNTFqEYXyJNWh1GiZedQ==",
+ "cpu": [
+ "ppc64"
+ ],
+ "license": "MIT",
+ "optional": true,
+ "os": [
+ "aix"
+ ],
+ "engines": {
+ "node": ">=12"
+ }
+ },
+ "node_modules/@esbuild/android-arm": {
+ "version": "0.21.5",
+ "resolved": "https://registry.npmjs.org/@esbuild/android-arm/-/android-arm-0.21.5.tgz",
+ "integrity": "sha512-vCPvzSjpPHEi1siZdlvAlsPxXl7WbOVUBBAowWug4rJHb68Ox8KualB+1ocNvT5fjv6wpkX6o/iEpbDrf68zcg==",
+ "cpu": [
+ "arm"
+ ],
+ "license": "MIT",
+ "optional": true,
+ "os": [
+ "android"
+ ],
+ "engines": {
+ "node": ">=12"
+ }
+ },
+ "node_modules/@esbuild/android-arm64": {
+ "version": "0.21.5",
+ "resolved": "https://registry.npmjs.org/@esbuild/android-arm64/-/android-arm64-0.21.5.tgz",
+ "integrity": "sha512-c0uX9VAUBQ7dTDCjq+wdyGLowMdtR/GoC2U5IYk/7D1H1JYC0qseD7+11iMP2mRLN9RcCMRcjC4YMclCzGwS/A==",
+ "cpu": [
+ "arm64"
+ ],
+ "license": "MIT",
+ "optional": true,
+ "os": [
+ "android"
+ ],
+ "engines": {
+ "node": ">=12"
+ }
+ },
...etc...The problem appears to be that from npm 11.6.2 and later, it is not compatible with package-lock.json files produced with 11.6.1 and earlier. I have tried it with Node 18, 22 and 24, npm 11.6.2 and 11.6.4, and it consistently fails, with package-lock.json created with 11.6.1.
I tried deleting package-lock.json and recreating it with npm install with the working v11.6.1. The recreated file was the same (there were no changes to commit to git) and npm ci worked with 11.6.1. Running this working set up with npm 11.6.2 and 11.6.4 fails with the above errors.
Environment
- npm: 11.6.1, 11.6.2, 11.6.4
- Node.js: 18, 22, 24
- OS Name: Linux
- System Model Name: Various