Skip to content
Latchkey

npm "Invalid lockfileVersion" - Fix package-lock Version Mismatch in CI

The lockfileVersion field records the lockfile format. A lockfile written by a newer npm (v3 format) can confuse an older npm in CI, producing a re-resolved tree or a verification failure instead of a clean reproducible install.

What this error means

npm ci behaves inconsistently between local and CI: locally (newer npm) it is clean, but CI (older npm) rewrites the tree, warns about the lockfile version, or fails verification. The lockfileVersion differs from what CI’s npm expects.

npm output
npm warn read-shrinkwrap This version of npm is compatible with
lockfileVersion@1, but package-lock.json was generated for lockfileVersion@3.
I'll try to do my best with it!

Common causes

Lockfile written by a newer npm than CI runs

A developer on npm 9/10 commits a lockfileVersion 3 lock, but CI runs an older npm that only fully understands v1/v2, so it does not install identically.

Mixed npm versions across the team and CI

Without a pinned npm version, different machines write different lockfile formats, causing churn and verification mismatches.

How to fix it

Pin one npm version everywhere

Use the same npm major locally and in CI so the lockfile format is consistent.

package.json / Terminal
# pin via packageManager (Corepack)
# package.json:
"packageManager": "npm@10.8.2"
# in CI, install that npm:
npm install -g npm@10.8.2
npm ci

Regenerate the lockfile with the pinned npm

  1. Pick the npm version CI will use.
  2. Regenerate package-lock.json with it and commit.
  3. Enforce the npm version with packageManager + Corepack.

How to prevent it

  • Pin the npm version via packageManager and Corepack.
  • Keep local and CI npm majors identical.
  • Regenerate the lockfile with the pinned npm.

Related guides

Tired of flaky CI? Latchkey auto-heals failed jobs and retries them for you. Start free →