Current Behavior

When executing the nx release command the package-lock.json file is updated (which is expected). But it also removes peer-dependencies which are actually in use. Therefore subsequent npm ci calls fail, because the package.json and the package-lock.json file are not in sync anymore (executing npm i adds the dependencies back to the lock file).

In my case this refers to the following transitive (peer-)dependencies of @nx/js:

• @types/node
• typescript
• undici-types

Expected Behavior

The nx release command updates the package-lock file, but only updates the versions of the newly release packages and does not remove any used (peer-)dependencies

GitHub Repo

https://github.com/m-thalmann/codestyle-packages/

Steps to Reproduce

1. Create a Nx Package-Based project (pure JS, no Typescript)
2. Create a package and commit the changes
3. Setup Nx Release
   • I used the following config:

     {
       "release": {
         "projects": ["*"],
         "projectsRelationship": "independent",
         "version": {
           "conventionalCommits": true
         },
         "git": {
           "commitMessage": "build(release): create new versions of packages"
         },
         "changelog": {
           "projectChangelogs": {
             "renderOptions": {
               "authors": false
              }
           }
         }
       }
     }

4. Run nx release --skip-publish --first-release (or omit the skip-publish, does not matter) (its also not dependent on the first release flag)
5. Inspect the create commit: The package-lock should be updated with the above mentioned dependencies removed
6. Run npm ci -> this will fail

Nx Report

Node   : 20.11.0
OS     : win32-x64
npm    : 10.2.4

nx (global)    : 18.0.3
nx             : 18.0.5
@nx/js         : 18.0.5
@nx/workspace  : 18.0.5
@nx/devkit     : 18.0.5
@nrwl/tao      : 18.0.5
typescript     : 5.3.3

Failure Logs

No response

Package Manager Version

No response

Operating System

• macOS
• Linux
• Windows
• Other (Please specify)

Additional Information

This issue occurs on both our local windows developer machines and the linux build servers.

I tried to find the root cause but I was not able to reproduce this issue when running the npm install --package-lock-only command (which is used by the update lock file function in our case).
I've also tried executing it from a custom JS script but this did also not reproduce the above mentioned issue.

Maybe it is something in the packages/js/src/generators/release-version/utils/update-lock-file.ts file but I have no idea how to start.