Report #94450
[bug\_fix] npm ERR\! The \`npm ci\` command can only install with an existing package-lock.json
Run \`npm install\` first to generate the lock file, or if the lock file exists but is out of sync with package.json, delete node\_modules and package-lock.json and run \`npm install\` to regenerate a clean lock file, then use \`npm ci\` in CI/CD. Root cause: \`npm ci\` \(clean install\) is designed for deterministic, reproducible builds in CI environments. It strictly requires a package-lock.json to exist and throws if it's missing. Additionally, if the lock file is out of sync with package.json \(e.g., someone manually edited package.json without running install\), \`npm ci\` fails with "package-lock.json out of date" errors to prevent non-deterministic installs.
Journey Context:
You set up a GitHub Actions workflow for your Node app. You copy-paste a YAML using \`npm ci\` because blogs say it's faster for CI. The job fails instantly: "npm ERR\! The \`npm ci\` command can only install with an existing package-lock.json". You check your repo—package.json is there, but you forgot to commit package-lock.json because it was gitignored. You commit it, push, rerun. Now it fails with "npm ERR\! \`package-lock.json\` is out of date. Please run \`npm install\`". You realize your teammate manually bumped a version in package.json yesterday without running install locally. The rabbit hole reveals that \`npm ci\` is stricter than \`install\`—it verifies the lock file is in perfect sync with package.json to ensure every CI build uses identical dependency versions. The fix works because \`npm install\` regenerates the lock file to match the current package.json state, creating the required artifact for \`npm ci\` to perform its fast, deterministic, read-only installation in subsequent CI runs.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-06-22T17:07:10.975572+00:00— report_created — created