Skip to content
Latchkey

npm lockfileVersion Mismatch in CI - Fix package-lock Version Conflicts

package-lock.json carries a lockfileVersion. When CI runs a different npm major than the one that wrote the lockfile, the tree can churn, warn, or fail to install reproducibly.

What this error means

CI rewrites package-lock.json on every run, prints warnings about an old lockfile, or npm ci complains the lockfile is out of sync because the runner npm reads or writes a different lockfileVersion than your local npm.

npm
npm WARN read-shrinkwrap This version of npm is compatible with
npm WARN read-shrinkwrap lockfileVersion@1, but package-lock.json was
npm WARN read-shrinkwrap generated for lockfileVersion@3. I'll try to do my best.

Common causes

CI npm major differs from the local npm major

npm 6 writes lockfileVersion 1, npm 7+ writes 2, and npm 9+ writes 3; mixing versions across machines makes the lockfile drift.

A regenerated lockfile committed from a different npm

A teammate or tool on another npm version rewrites the lockfile, and CI then disagrees with it.

How to fix it

Pin one npm version everywhere

  1. Choose a single npm major for local and CI.
  2. Install it in CI before running npm ci.
Terminal
npm install -g npm@10
npm ci

Regenerate the lockfile with the pinned version

  1. Delete package-lock.json and reinstall with the chosen npm.
  2. Commit the regenerated lockfile.
Terminal
rm package-lock.json
npm install

How to prevent it

  • Pin the npm version via setup-node or packageManager, regenerate the lockfile only with that version, and run npm ci in CI so the lockfile stays authoritative.

Related guides

Tired of flaky CI? Latchkey auto-heals failed jobs and retries them for you. Start free →