Is there an existing issue for this?

• I have searched the existing issues

This issue exists in the latest npm version

• I am using the latest npm

Current Behavior

When I run npm install, the generated package-lock.json file isn't synchronized with the package.json file. The npm ci command fails. If I run npm install a second time: the package-lock.json file is modified (and synchronized).

Expected Behavior

npm install creates a package-lock.json file synchronized.

Steps To Reproduce

• Create package.json with this content:

  {
    "name": "testcase",
    "version": "1.0.0",
    "devDependencies": {
      "addons-linter": "6.13.0",
      "htmlhint": "1.1.4"
    }
  }

• npm install

  added 261 packages, and audited 262 packages in 27s
  
  62 packages are looking for funding
    run `npm fund` for details
  
  found 0 vulnerabilities
  

• npm ci

  npm ERR! code EUSAGE
  npm ERR! 
  npm ERR! `npm ci` can only install packages when your package.json and package-lock.json or npm-shrinkwrap.json are in sync. Please update your lock file with `npm install` before continuing.
  npm ERR! 
  npm ERR! Invalid: lock file's [email protected] does not satisfy [email protected]
  npm ERR! 
  npm ERR! Clean install a project
  npm ERR! 
  npm ERR! Usage:
  npm ERR! npm ci
  npm ERR! 
  npm ERR! Options:
  npm ERR! [--install-strategy <hoisted|nested|shallow|linked>] [--legacy-bundling]
  npm ERR! [--global-style] [--omit <dev|optional|peer> [--omit <dev|optional|peer> ...]]
  npm ERR! [--strict-peer-deps] [--foreground-scripts] [--ignore-scripts] [--no-audit]
  npm ERR! [--no-bin-links] [--no-fund] [--dry-run]
  npm ERR! [-w|--workspace <workspace-name> [-w|--workspace <workspace-name> ...]]
  npm ERR! [-ws|--workspaces] [--include-workspace-root] [--install-links]
  npm ERR! 
  npm ERR! aliases: clean-install, ic, install-clean, isntall-clean
  npm ERR! 
  npm ERR! Run "npm help ci" for more info
  
  npm ERR! A complete log of this run can be found in: /home/regseb/.npm/_logs/2023-09-10T14_22_27_045Z-debug-0.log
  

• cp package-lock.json package-save.json
• npm install

  changed 1 package, and audited 262 packages in 1s
  
  62 packages are looking for funding
    run `npm fund` for details
  
  found 0 vulnerabilities
  

• diff package-lock.json package-save.json

  1837,1839c1837,1839
  <       "version": "2.6.11",
  <       "resolved": "https://registry.npmjs.org/node-fetch/-/node-fetch-2.6.11.tgz",
  <       "integrity": "sha512-4I6pdBY1EthSqDmJkiNk3JIT8cswwR9nfeW/cPdUagJYEQG7R95WRH74wpz7ma8Gh/9dI9FP+OU+0E4FvtA55w==",
  ---
  >       "version": "2.7.0",
  >       "resolved": "https://registry.npmjs.org/node-fetch/-/node-fetch-2.7.0.tgz",
  >       "integrity": "sha512-c4FRfUm/dbcWZ7U+1Wq0AwCyFL+3nt2bEw05wfxSz+DWpWsitgmSgYmy2dQdWyKC1694ELPqMs/YzUSNozLt8A==",

The directory at the end with the files package.json, package-lock.json, package-save.json, and the directory node_modules/: testcase.zip

Environment

• npm: 10.0.0
• Node.js: v20.5.1
• OS Name: Ubuntu 22.04.3 LTS
• System Model Name: Dell Inspiron
• npm config:

; "user" config from /home/regseb/.npmrc

//registry.npmjs.org/:_authToken = (protected) 

; node bin location = /usr/bin/node
; node version = v20.5.1
; npm local prefix = /home/regseb/dev/testcase
; npm version = 10.0.0
; cwd = /home/regseb/dev/testcase
; HOME = /home/regseb
; Run `npm config ls -l` to show all defaults.

Related issues / pull request

• [BUG] npm can install an invalid tree with transitive optional peer deps #4859
• [BUG] npm install installs an invalid tree (as validated by npm ci) #5854
• [BUG] npm-ci failes if dependency with ^ has a new release that satifies #6378
• [BUG] Need to run npm install twice to fix npm ci command #7793
• [BUG] package-lock.json file inconsistent between different npm install runs #7841
• [BUG] npm dedupe step fails, a additional "npm i" run fixes the issue #7847
• [BC BREAK] version 11.6.2 breaks CI #8669
• [BUG] npm update generates package-lock.json that isn't considered in-sync by npm ci #8674
• [BUG] <title>version 11.6.2 breaks CI #8718
• [BUG] On v11.6.1 npm i or npm update generates different lock file contents on second run #8725
• [BUG] npm ci fails because npm install produces an out-of-sync lockfile (regression since v7.0.9) #8726
• [BUG] npm ci fails with newer versions of npm #8767
• [BUG] npm ci not working after successful npm install #8777
• [BUG] npm ci > 11.6.1 fails with architecture-related packages on lockfiles <= 11.6.1 #8805
• [BUG] <title>On v11.6.1 npm i or npm update generates different lock file contents on second run #8808
• feat(arborist)!: install optional peer dependencies #5301