- Notifications
You must be signed in to change notification settings - Fork3.4k
Open
Description
Is there an existing issue for this?
- I have searched the existing issues
This issue exists in the latest npm version
- I am using the latest npm
Current Behavior
We have an npm build that pulls in a couple of internal packages from our Gitlab server, as well as a Nexus used as mirror for the public npm registry.
Due to a botched merge conflict resolution, we ended up with a version conflict for an internal package, with the package.json specifying a newer version, and the package-lock.json still having an older one.
In this situation, I would have expectednpm ci to fail, because there is no matching package-lock.json entry for the version from package.json. Instead, it tries to resolve the dependencies, but ignores all repository configurations from .npmrc, ultimately failing, because it hits registry.npmjs.org for our internal package and can't find it.
I ran all tests with an empty cache and empty node_modules. I also verified that the .npmrc settings were in effect usingnpm config ls -l. Both versions (and some in between) exist in our internal registry. Replacing the wrong version in package-lock.json fixed the issue.
package.json:
"dependencies": {"@our/example-lib":"^0.0.1-89-a2c758d4",... }
package-lock.json:
"dependencies": {"@our/example-lib":"^0.0.1-81-08e03b17",... }..."node_modules/@our/example-lib": {"version":"0.0.1-81-08e03b17","resolved":"https://git.example.org/api/v4/projects/3255/packages/npm/@our/example-lib/-/@our/example-lib-0.0.1-81-08e03b17.tgz","integrity":"sha1-MMn5yrwT9awSCfui4KlE8gY0j0o=","dependencies": {"axios":"^1.6.1" } },
.npmrc:
@our:registry=https://git.example.org/api/v4/projects/3247/packages/npm/registry=https://nexus.example.org/repository/registry.npmjs.org///nexus.example.org/repository/registry.npmjs.org/:_auth="xxxxx"//git.example.org/api/v4/projects/3247/packages/npm/:_authToken=xxxxnpm ci --loglevel verbose:
npm verbose cli /usr/local/bin/node /usr/local/bin/npmnpm info using npm@11.2.0npm info using node@v23.9.0npm verbose title npm cinpm verbose argv "ci" "--prefer-offline" "--loglevel" "verbose"npm verbose logfile logs-max:10 dir:/builds/our/example/frontend/.npm/_logs/2025-03-13T13_17_11_472Z-npm verbose logfile /builds/our/example/frontend/.npm/_logs/2025-03-13T13_17_11_472Z-debug-0.lognpm http fetch GET 404 https://registry.npmjs.org/@our/example-lib 220ms (cache skip)npm verbose stack HttpErrorGeneral: 404 Not Found - GET https://registry.npmjs.org/@our/example-lib - Not foundnpm verbose stack at /usr/local/lib/node_modules/npm/node_modules/npm-registry-fetch/lib/check-response.js:103:15npm verbose stack at process.processTicksAndRejections (node:internal/process/task_queues:105:5)npm verbose stack at async RegistryFetcher.packument (/usr/local/lib/node_modules/npm/node_modules/pacote/lib/registry.js:90:19)npm verbose stack at async RegistryFetcher.manifest (/usr/local/lib/node_modules/npm/node_modules/pacote/lib/registry.js:128:23)npm verbose stack at async #fetchManifest (/usr/local/lib/node_modules/npm/node_modules/@npmcli/arborist/lib/arborist/build-ideal-tree.js:1202:20)npm verbose stack at async #nodeFromEdge (/usr/local/lib/node_modules/npm/node_modules/@npmcli/arborist/lib/arborist/build-ideal-tree.js:1040:19)npm verbose stack at async #buildDepStep (/usr/local/lib/node_modules/npm/node_modules/@npmcli/arborist/lib/arborist/build-ideal-tree.js:904:11)npm verbose stack at async Arborist.buildIdealTree (/usr/local/lib/node_modules/npm/node_modules/@npmcli/arborist/lib/arborist/build-ideal-tree.js:181:7)npm verbose stack at async CI.exec (/usr/local/lib/node_modules/npm/lib/commands/ci.js:63:5)npm verbose stack at async Npm.exec (/usr/local/lib/node_modules/npm/lib/npm.js:207:9)npm verbose statusCode 404npm verbose pkgid @our/example-lib@^0.0.1-89-a2c758d4npm error code E404npm error 404 Not Found - GET https://registry.npmjs.org/@our/example-lib - Not foundnpm error 404npm error 404 '@our/example-lib@^0.0.1-89-a2c758d4' is not in this registry.npm error 404npm error 404 Note that you can also install from anpm error 404 tarball, folder, http url, or git url.npm verbose cwd /builds/our/example/frontendnpm verbose os Linux 6.6.56+npm verbose node v23.9.0npm verbose npm v11.2.0npm verbose exit 1npm verbose code 1npm error A complete log of this run can be found in: /builds/our/example/frontend/.npm/_logs/2025-03-13T13_17_11_472Z-debug-0.logExpected Behavior
- npm uses the configured registries to look up modules (internal registry for scope@our, nexus mirror for everything else)
npm cifails because package.json and package-lock.json do not match, without attempting to resolve the missing package version from package.json against the public (or any) registry.
Steps To Reproduce
See config above. Then runnpm ci
Environment
- npm: 11.2.0
- Node.js: 23.9.0
- OS Name: Linux 6.6.56+
- System Model Name:
- npm config:
; "user" config from /root/.npmrc@our:registry ="https://git.example.org/api/v4/projects/3247/packages/npm/"//git.example.org/api/v4/projects/3247/packages/npm/:_authToken = (protected)//nexus.example.org/repository/registry.npmjs.org/:_auth = (protected)cache ="/builds/our/example/frontend/.npm"registry ="https://nexus.example.org/repository/registry.npmjs.org/"; node bin location = /usr/local/bin/node; node version = v23.9.0; npm local prefix = /builds/our/example/frontend; npm version = 11.2.0; cwd = /builds/our/example/frontend; HOME = /root; Run `npm config ls -l` to show all defaults.