[BUG] npm ci validates package-lock.json that is generated with an older version of npm and fails to resolve

[irdkwmnsb]

Is there an existing issue for this?

• I have searched the existing issues

This issue exists in the latest npm version

• I am using the latest npm

Current Behavior

package-lock.json generated prior to 8.6.0 is generating package-locks that the new version cannot resolve:

npm ERR! code EUSAGE
npm ERR! 
npm ERR! `npm ci` can only install packages when your package.json and package-lock.json or npm-shrinkwrap.json are in sync. Please update your lock file with `npm install` before continuing.
npm ERR! 
npm ERR! Invalid: lock file's type-fest@0.21.3 does not satisfy type-fest@0.13.1
npm ERR! Missing: type-fest@0.21.3 from lock file
npm ERR! 
npm ERR! Clean install a project
npm ERR! 
npm ERR! Usage:
npm ERR! npm ci
npm ERR! 
npm ERR! Options:
npm ERR! [--no-audit] [--foreground-scripts] [--ignore-scripts]
npm ERR! [--script-shell <script-shell>]
npm ERR! 
npm ERR! aliases: clean-install, ic, install-clean, isntall-clean
npm ERR! 
npm ERR! Run "npm help ci" for more info

Common libraries like create-react-app use @ pmmmwh/react-refresh-webpack-plugin library which has a dependency of type-fest@0.13.1. Version of npm prior to 8.6.0 would not include type-fest@0.13.1 in the package-lock.json

After the 8.6.0 release, old package-locks would not work for installing dependencies with npm ci

Expected Behavior

npm ci should not fail with lockfiles generated by older version npm

Steps To Reproduce

See this commit tree for an example of a project with a lockfile that is valid for an old version of npm and not valid for new ones.

Run npm ci with npm version 8.6.0 or higher to get the error or see this github actions pipeline

Environment

• npm: 8.13.2
• Node.js: 16.15.1
• OS Name: ubuntu-latest
• System Model Name: Github actions runner

[irdkwmnsb]

Resolvement

Running npm i with a new version of npm and committing the relevant package-lock.json resolves this issue.

But if there was a bug in checking the dependency tree, shouldn't the users see a link to #5113 on how to resolve their issue when they encounter it?

Opening an issue here so other people that might encounter this exact issue can google it.

[eyalroth]

Happening for us too and currently breaking our CI builds on multiple repositories.

Edit:

Running npm i with a new version of npm and committing the relevant package-lock.json resolves this issue.

This workaround seems to work.

[mkesavan13]

Broke our CI builds too. Thanks @irdkwmnsb. Your workaround helped and have worked out for us too.

[wraithgar]

Please see pinned issue #5113

[irdkwmnsb]

Please see pinned issue #5113

@wraithgar
Why not include a link to that issue with the validation error?
I was only able to find the issue because I wanted to file a bug report, which most developers won't be doing.

[CalvinJamesHeath]

Irdkwmnsb, that was the only workaround for me out of all the options! I ran npm install after removing the package-lock.json file and node modules. Along with checking all dependencies for obsolete ones, several dependencies were also upgraded to the most recent version. It took me five hours to fix as I couldnt update my Firebase Cloud Functions.

I was getting the following 6 errors (with command firebase --debug deploy) : {

1. npm err! npm ci can only install packages when your package.json and package-lock.json or npm-shrinkwrap.json are in sync.
   2.Invalid lock file's typescript@version does not satisfy typescript@version
   3.Error code EUSAGE
   4.Could not find image for function projects/etc/etc
   5.Missing URI for HTTPS function in printTriggerUrls. This shouldn't happen.
   6."Invalid source token" code 9
   }

THE SOLUTION FOR EVERYTHING 🥁(drumroll...)(MAC OS USES SUDO)

Npm will always use the version of npm installed with node. If you are running node update node first running:

$ sudo npm install -g n

(And to install the latest stable node release)

$ sudo n latest

And then check your npm version again - it should be updated. (npm -v)

Thank you so much!

[juane1000]

The suggested workaround also worked for me when trying to update firebase cloud function that serves a Nuxt app using Firebase CLI framework functionality. Delete the initial package-lock.json, updated npm (cause why not), and ran npm install. Deploy worked finally.

[robot-88]

I tried deleting my package-lock.json and executed npm i, still my pipeline is failing. Can any one help?

name: CI/CD

on:
push:
branches: [ "main" ]
pull_request:
branches: [ "main" ]

jobs:
build:

runs-on: ubuntu-latest

strategy:
  matrix:
    node-version: [18.x]
    # See supported Node.js release schedule at https://nodejs.org/en/about/releases/

steps:
- uses: actions/checkout@v3
- name: Use Node.js ${{ matrix.node-version }}
  uses: actions/setup-node@v3
  with:
    node-version: ${{ matrix.node-version }}
    cache: 'npm'
- run: npm ci
- run: npm run build --if-present
- run: npm test