npm lock file out of sync

[json-derulo]

How are you running Renovate?

A Mend.io-hosted app

If you're self-hosting Renovate, tell us which platform (GitHub, GitLab, etc) and which version of Renovate.

No response

Please tell us more about your question or problem

I am using Renovate with lock file maintenance on many Angular projects (npm). I never had a problem with it, until this week. During lock file maintenance, Renovate updated the package-lock.json file. However when running npm ci on the project with the updated lockfile, I am getting the following error:

npm error code EUSAGE
npm error
npm error `npm ci` can only install packages when your package.json and package-lock.json or npm-shrinkwrap.json are in sync. Please update your lock file with `npm install` before continuing.
npm error
npm error Invalid: lock file's chokidar@4.0.1 does not satisfy chokidar@3.6.0
npm error Missing: chokidar@4.0.1 from lock file
npm error Missing: glob-parent@5.1.2 from lock file
npm error Invalid: lock file's readdirp@4.0.2 does not satisfy readdirp@3.6.0
npm error Missing: picomatch@2.3.1 from lock file
npm error Missing: readdirp@4.0.2 from lock file

It seems like the generated lock file is invalid, some major versions are updated even if some packages don't allow it. This only happens on my Angular projects, other projects seem fine. Here is an example PR: json-derulo/angular-ecmascript-intl#469

Logs (if relevant)

Logs

Replace this text with your logs, between the starting and ending triple backticks

[rarkins]

I was able to reproduce this by:

• Cloning your repo
• Checking out this branch/PR
• Deleting package-lock.json
• Ensuring that node_modules was missing/empty
• Running npm i --package-lock-only

The resulting package-lock.json was the same.

In conclusion, npm i --package-lock-only is buggy, so Renovate would need to run npm i instead, which is slower but should always produce a correct result.

I wonder what it is about this repo/dependency list which triggers it. e.g. some uncommon case or peer dependencies or something like that.

[rarkins]

Unfortunately the reproduction turns out to be even simpler:

• Clone the repo
• Run npm i
• Run npm ci

Strangely, running npm i a second time seems to fix the problem. See log below:

/tmp/clone/angular-ecmascript-intl main
❯ rm package-lock.json 
Execution time: 0.03s

/tmp/clone/angular-ecmascript-intl main*
❯ npm i
npm warn deprecated inflight@1.0.6: This module is not supported, and leaks memory. Do not use it. Check out lru-cache if you want a good and tested way to coalesce async requests by a key value, which is much more comprehensive and powerful.
npm warn deprecated rimraf@3.0.2: Rimraf versions prior to v4 are no longer supported
npm warn deprecated glob@7.2.3: Glob versions prior to v9 are no longer supported

added 1230 packages, and audited 1231 packages in 13s

204 packages are looking for funding
  run `npm fund` for details

found 0 vulnerabilities
Execution time: 12.82s

/tmp/clone/angular-ecmascript-intl main* 13s
❯ npm ci
npm error code EUSAGE
npm error
npm error `npm ci` can only install packages when your package.json and package-lock.json or npm-shrinkwrap.json are in sync. Please update your lock file with `npm install` before continuing.
npm error
npm error Invalid: lock file's chokidar@4.0.1 does not satisfy chokidar@3.6.0
npm error Missing: chokidar@4.0.1 from lock file
npm error Missing: glob-parent@5.1.2 from lock file
npm error Invalid: lock file's readdirp@4.0.2 does not satisfy readdirp@3.6.0
npm error Missing: picomatch@2.3.1 from lock file
npm error Missing: readdirp@4.0.2 from lock file
npm error
npm error Clean install a project
npm error
npm error Usage:
npm error npm ci
npm error
npm error Options:
npm error [--install-strategy <hoisted|nested|shallow|linked>] [--legacy-bundling]
npm error [--global-style] [--omit <dev|optional|peer> [--omit <dev|optional|peer> ...]]
npm error [--include <prod|dev|optional|peer> [--include <prod|dev|optional|peer> ...]]
npm error [--strict-peer-deps] [--foreground-scripts] [--ignore-scripts] [--no-audit]
npm error [--no-bin-links] [--no-fund] [--dry-run]
npm error [-w|--workspace <workspace-name> [-w|--workspace <workspace-name> ...]]
npm error [-ws|--workspaces] [--include-workspace-root] [--install-links]
npm error
npm error aliases: clean-install, ic, install-clean, isntall-clean
npm error
npm error Run "npm help ci" for more info
npm error A complete log of this run can be found in: /Users/rhys/.npm/_logs/2024-10-16T15_45_45_170Z-debug-0.log
Execution time: 0.57s

/tmp/clone/angular-ecmascript-intl main*
❯ npm i

added 5 packages, removed 16 packages, changed 2 packages, and audited 1220 packages in 1s

204 packages are looking for funding
  run `npm fund` for details

found 0 vulnerabilities
Execution time: 1.15s

/tmp/clone/angular-ecmascript-intl main*
❯ npm ci
npm warn deprecated inflight@1.0.6: This module is not supported, and leaks memory. Do not use it. Check out lru-cache if you want a good and tested way to coalesce async requests by a key value, which is much more comprehensive and powerful.
npm warn deprecated rimraf@3.0.2: Rimraf versions prior to v4 are no longer supported
npm warn deprecated glob@7.2.3: Glob versions prior to v9 are no longer supported

added 1219 packages, and audited 1220 packages in 11s

204 packages are looking for funding
  run `npm fund` for details

found 0 vulnerabilities
Execution time: 10.88s

Definitely seems like an npm bug.

[json-derulo]

Thanks a lot for your thorough investigation! I have created an issue in the npm repo: npm/cli#7841

[GKersten]

Running into the same issue and found the issue on NPM repo. Is there a known work-around for renovate in the meantime?

[rarkins]

If you're self-hosted, you could add another npm install to postUpgradeTasks

[rarkins]

Someone suggested a workaround in npm/cli#6787