[BUG] npm install cannot update the lock file

[nZeus]

Is there an existing issue for this?

• I have searched the existing issues

This issue exists in the latest npm version

• I am using the latest npm

Current Behavior

Hi,

We are trying to upgrade some libraries, using the renovate bot:

but when the npm install command is executed, it fails to update the package-lock.json file.
We get the following error:

If I manually delete the package-lock.json file and node_modules folder, and then run the npm install command, it works:

Any ideas why it fails?

Expected Behavior

No response

Steps To Reproduce

No response

Environment

• npm: 10.2.5
• Node.js: 20.10.0
• OS Name: Mac OS & Linux & Windows
• npm config:

save-exact = true
save-prefix = ""

[ljharb]

The error is because you're pinning deps and thus creating an incompatibility; your package.json should have ^ in it on basically everything.

[nZeus]

That was the team's decision to pin dependencies. We want to be sure that at any time we get the same version of the libraries.
Could you please explain regarding the incompatibility? The new versions are correct, the latest version of @angular/animations is 17.0.7 (link). Then why npm fails to resolve it? And why deletion of node_modules and packages-lock file solves the issue?

Is dependency pinning not supported by npm install in this particular scenario?

[tomachristian]

@ljharb IMO this is a perfectly valid scenario. NPM support pinning dependencies like this and it is even illustrated by the fact that it works great without node_modules and package-lock. The fact that it does not work with them, does seem like a bug and what you are proposing seems as a workaround this bug.

[ljharb]

Of course pinning is supported. @nZeus the lockfile guarantees that; pinning in package.json doesn’t achieve anything whatsoever,

@tomachristian the issue here is that all the angular packages aren’t pinning, and if you pin, you have to update them all at once.

In other words, the problem is that the ecosystem doesn’t pin, you’re using something that declares a peer dep (angular, in this case), and the very problem you’re running into would be avoided by not pinning.

You certainly can solve it while still pinning, it’ll just be a lot more work and it’s harder to explain how over text.

[Ionaru]

I am also running into this issue regularly and my solution is usually to delete the package-lock.json and node_modules, then run npm install.

However, disregarding the pinning discussion above, it is still an issue.

The error that @nZeus posted above shows that NPM still finds @angular/animations@17.0.6 among other 17.0.6 version of the Angular packages in the package-lock.json file, and refuses to update them to match the 17.0.7 versions now specified in the package.json.

Why does npm install still read and use 17.0.6 from the package-lock.json, even though only 17.0.7 is specified in package.json?

[GKersten]

@nZeus did you find a proper way to solve this? We are running into the same issue with Renovate where we also decided on pinning the versions in the package.json. Indeed after manually deleting the package-lock.json npm seems to resolve as expected.