Fix npm Lockfile Mismatch npm
Fix npm lockfile mismatches where package-lock.json is out of sync with package.json. Identify vulnerable pinned versions in the lockfile.
⚠ The Problem
package-lock.json pins a vulnerable version of a dependency even after you updated package.json. The lockfile takes precedence during npm ci, so the vulnerability persists in CI/CD.
Bad Configuration — package.json
# package.json: "express": "^4.19.2" # package-lock.json: "express": "4.17.1" ← vulnerable version still pinned
Fixed Configuration — package.json
# Delete package-lock.json and regenerate: rm package-lock.json npm install # Or update a specific package: npm update express
✓ Fix
The lockfile overrides the semver range in package.json. After updating package.json, always regenerate the lockfile. PackageFix scans both files when dropped together. After updating, run npm install.
Scan your dependencies now — paste your manifest, get a fixed version back in seconds.
Open PackageFix →No signup · No CLI · No GitHub connection · Runs 100% in your browser
Frequently Asked Questions
Why does npm ci install a vulnerable version even after I updated package.json?
npm ci installs exactly what is in package-lock.json, ignoring package.json semver ranges. If the lockfile is stale, it installs the vulnerable version.
How do I regenerate package-lock.json safely?
Run npm install (not npm ci). This resolves semver ranges in package.json and writes a fresh lockfile with the latest matching versions.
Should I commit package-lock.json to version control?
Yes. Committing the lockfile ensures reproducible installs across environments. Review it during code review for unexpected version changes.
How does PackageFix handle lockfiles?
Drop package-lock.json alongside package.json. PackageFix parses both and shows which lockfile-pinned versions are vulnerable.