package-lock.json missing or out of sync
Fix 'npm ci can only install packages when your package.json and package-lock.json are in sync' error in CI/CD.
⚠ Error Message
npm error: `npm ci` can only install packages when your package.json and package-lock.json or npm-shrinkwrap.json is in sync.
Root Cause
npm ci requires an up-to-date package-lock.json. If lockfile is missing, deleted, or out of sync with package.json, CI fails.
How to Fix
- Run npm install locally to generate a fresh package-lock.json.
- Commit package-lock.json to version control — it should never be in .gitignore.
- Paste your package.json into PackageFix to scan for CVEs before committing the new lockfile.
- In CI, always use npm ci (not npm install) for reproducible, secure installs.
Scan your dependencies now — paste your manifest, get a fixed version back in seconds.
Open PackageFix →No signup · No CLI · No GitHub connection · Runs 100% in your browser
Frequently Asked Questions
Should package-lock.json be in .gitignore?
No. package-lock.json should always be committed. It ensures reproducible installs and allows security scanning of pinned dependency versions.
What is the difference between npm install and npm ci?
npm install updates package-lock.json based on package.json ranges. npm ci installs exactly what is in package-lock.json — faster and more secure for CI.
Why does npm ci fail in GitHub Actions?
Usually because package-lock.json is not committed, or was generated with a different npm version. Always commit the lockfile and use --legacy-peer-deps if needed.
Can a missing lockfile be a security risk?
Yes. Without a lockfile, npm install resolves to the latest version of each package at install time, which could include a newly published malicious package.