npm ci command fails with version 18.2.8

[acohenOT]

Command

other

Is this a regression?

• Yes, this behavior used to work in the previous version

The previous version in which this bug was not present was

18.2.7

Description

Using command npm ci on a clean Angualr 18.2.8 project, the command fails with an error.

Minimal Reproduction

1. Run npm new angular182. Select SCSS and no SSR.
2. cd angular182
3. run npm ci

Exception or Error

npm error code EUSAGE
npm error
npm error `npm ci` can only install packages when your package.json and package-lock.json or npm-shrinkwrap.json are in sync. Please update your lock file with `npm install` before continuing.
npm error
npm error Invalid: lock file's [email protected] does not satisfy [email protected]
npm error Missing: [email protected] from lock file
npm error Missing: [email protected] from lock file
npm error Invalid: lock file's [email protected] does not satisfy [email protected]
npm error Missing: [email protected] from lock file
npm error Missing: [email protected] from lock file

Your Environment

Angular CLI: 18.2.8
Node: 20.18.0
Package Manager: npm 10.9.0
OS: win32 x64

Angular: 18.2.8
... animations, cli, common, compiler, compiler-cli, core, forms
... platform-browser, platform-browser-dynamic, router

Package                         Version
---------------------------------------------------------
@angular-devkit/architect       0.1802.8
@angular-devkit/build-angular   18.2.8
@angular-devkit/core            18.2.8
@angular-devkit/schematics      18.2.8
@schematics/angular             18.2.8
rxjs                            7.8.1
typescript                      5.5.4
zone.js                         0.14.10

Anything else relevant?

Same issue occurs after regenerating package-lock.json.

1. delete package-lock.json
2. delete node_modules directory
3. run npm install - regenerates package-lock.json and node_modules
4. run npm ci

[alan-agius4]

Looks like you are experiencing one of the npm ci bugs listed in: npm/cli#6787

[MarcoGlauser]

We ran into the same issue trying to upgrade our lock files with renovate.
Manual intervention with an npm install resolved it temporarily. But every time we run npm update again, it creates an invalid package-lock file.
It seems there's a certain constellation of dependencies at the moment that makes npm update fail reliably on chokidar.

[zackmenendez]

This is, indeed, an npm issue, but if you got here and are looking for a workaround because npm ci is broken and complaining about chokidar and other invalid dedups, the simplest fix for us was to regenerate our package-lock.json files by running npm install twice in a row.

So, to get a fresh package-lock.json we will run:

rm -rf node_modules/; rm package-lock.json; npm install; npm install

[berkon]

First we tried to switch to Angular 18.2.9 hoping that the issue would be solved there, but that didn't help.

Overriding the chokidar version in package.json looks to be a good workaround:

"overrides": {
  "chokidar": "4.0.1"
}

[AmebaBrain]

This is, indeed, an npm issue, but if you got here and are looking for a workaround because npm ci is broken and complaining about chokidar and other invalid dedups, the simplest fix for us was to regenerate our package-lock.json files by running npm install twice in a row.

So, to get a fresh package-lock.json we will run:

rm -rf node_modules/; rm package-lock.json; npm install; npm install

This weird thing works! Many thanks for sharing. Any reasoning behind twice in a row execution?

[zackmenendez]

This weird thing works! Many thanks for sharing. Any reasoning behind twice in a row execution?

Pure speculation on my part (based on reading the comments in the npm issue linked above and my own observations), but for whatever confluence of reasons, when running npm install in this situation once, npm doesn't fully resolve/install the dependencies requested by all packages.

For example a common situation is like:

• package a depends on package c@^1.0.0
• package b depends on package c@^2.0.0

When npm install runs, it will install both versions of package c (at least one of which will end up under a package's own install such as node_modules/a/node_modules/c.

Well, again, for some reason in this situation with Angular and chokidar, both versions of the "same package" (chokidar) needed (3.6.0 and 4.0.1) are not getting installed satisfactorily for every library. In my specific testing, I found that on the first run of npm install, chokidar 4.0.1 was installed in the "main" node_modules directory and some but not all packages that needed an older version had a local install of 3.6.0. This would fail npm ci. On a subsequent run of npm install, I found that the "main" directory version of chokidar changed to 3.6.0, and 4.0.1 was locally installed to the few places that needed it, such as @angular/compiler-cli. At this point npm ci succeeds.

Why? Not sure, but it's an npm bug. 😄

[FrancescoBorzi]

So, to get a fresh package-lock.json we will run:

rm -rf node_modules/; rm package-lock.json; npm install; npm install

This weird thing works! Many thanks for sharing. Any reasoning behind twice in a row execution?

This also worked for me. I could not imagine I needed to run npm install; npm install twice in order to get this working. Thanks for sharing.

[angular-automatic-lock-bot]

This issue has been automatically locked due to inactivity.
Please file a new issue if you are encountering a similar or related problem.

Read more about our automatic conversation locking policy.

_{This action has been performed automatically by a bot.}