Is there an existing issue for this?

• I have searched the existing issues

This issue exists in the latest npm version

• I am using the latest npm

Current Behavior

The package-lock.json file created during npm install is inconsistent and sometimes generates a lock file which is out of sync

Expected Behavior

The package-lock.json file created during npm install is consistent and generates a lock file which is always in sync

Steps To Reproduce

1. Clone the following repo: https://github.com/json-derulo/angular-ecmascript-intl

2. Remove the lock file rm package-lock.json

3. Run npm install

4. Run npm ci

   The following error is thrown:

   `npm ci` can only install packages when your package.json and package-lock.json or npm-shrinkwrap.json are in sync. 
   Please update your lock file with `npm install` before continuing.
   

5. Run npm install again -> the lock file is changed!

6. Run npm ci again -> this time it succeeds

Why this is a problem

I am using Renovate to automate the dependency updates, with the lockFileMaintenance option. With this issue, the bot creates an invalid lock file which needs to be manually fixed. I run the bot on several Angular projects and all have this issue.

Environment

• npm: 10.9.0
• Node.js: 20.18.0
• OS Name: MacOS 12.7.6
• System Model Name: Macbook Pro
• npm config:

; "builtin" config from /usr/local/lib/node_modules/npm/npmrc

prefix = "/usr/local"

; "user" config from /Users/json-derulo/.npmrc

//registry.npmjs.org/:_authToken = (protected)

; node bin location = /usr/local/bin/node
; node version = v20.18.0
; npm local prefix = /Users/json-derulo/projects/angular-ecmascript-intl
; npm version = 10.9.0
; cwd = /Users/json-derulo/projects/angular-ecmascript-intl
; HOME = /Users/json-derulo
; Run `npm config ls -l` to show all defaults.