npm "Invalid lockfileVersion" - Fix package-lock Version Mismatch in CI
The lockfileVersion field records the lockfile format. A lockfile written by a newer npm (v3 format) can confuse an older npm in CI, producing a re-resolved tree or a verification failure instead of a clean reproducible install.
What this error means
npm ci behaves inconsistently between local and CI: locally (newer npm) it is clean, but CI (older npm) rewrites the tree, warns about the lockfile version, or fails verification. The lockfileVersion differs from what CI’s npm expects.
npm warn read-shrinkwrap This version of npm is compatible with
lockfileVersion@1, but package-lock.json was generated for lockfileVersion@3.
I'll try to do my best with it!Common causes
Lockfile written by a newer npm than CI runs
A developer on npm 9/10 commits a lockfileVersion 3 lock, but CI runs an older npm that only fully understands v1/v2, so it does not install identically.
Mixed npm versions across the team and CI
Without a pinned npm version, different machines write different lockfile formats, causing churn and verification mismatches.
How to fix it
Pin one npm version everywhere
Use the same npm major locally and in CI so the lockfile format is consistent.
# pin via packageManager (Corepack)
# package.json:
"packageManager": "npm@10.8.2"
# in CI, install that npm:
npm install -g npm@10.8.2
npm ciRegenerate the lockfile with the pinned npm
- Pick the npm version CI will use.
- Regenerate
package-lock.jsonwith it and commit. - Enforce the npm version with
packageManager+ Corepack.
How to prevent it
- Pin the npm version via
packageManagerand Corepack. - Keep local and CI npm majors identical.
- Regenerate the lockfile with the pinned npm.