[BUG] Wrong registry used due to package.json / package-lock.json inconsistency

[creckord]

Is there an existing issue for this?

• I have searched the existing issues

This issue exists in the latest npm version

• I am using the latest npm

Current Behavior

We have an npm build that pulls in a couple of internal packages from our Gitlab server, as well as a Nexus used as mirror for the public npm registry.

Due to a botched merge conflict resolution, we ended up with a version conflict for an internal package, with the package.json specifying a newer version, and the package-lock.json still having an older one.

In this situation, I would have expected npm ci to fail, because there is no matching package-lock.json entry for the version from package.json. Instead, it tries to resolve the dependencies, but ignores all repository configurations from .npmrc, ultimately failing, because it hits registry.npmjs.org for our internal package and can't find it.

I ran all tests with an empty cache and empty node_modules. I also verified that the .npmrc settings were in effect using npm config ls -l. Both versions (and some in between) exist in our internal registry. Replacing the wrong version in package-lock.json fixed the issue.

package.json:

  "dependencies": {
    "@our/example-lib": "^0.0.1-89-a2c758d4",
    ...
  }

package-lock.json:

  "dependencies": {
    "@our/example-lib": "^0.0.1-81-08e03b17",
    ...
  }
  ...
  "node_modules/@our/example-lib": {
    "version": "0.0.1-81-08e03b17",
    "resolved": "https://git.example.org/api/v4/projects/3255/packages/npm/@our/example-lib/-/@our/example-lib-0.0.1-81-08e03b17.tgz",
    "integrity": "sha1-MMn5yrwT9awSCfui4KlE8gY0j0o=",
    "dependencies": {
      "axios": "^1.6.1"
    }
  },

.npmrc:

@our:registry=https://git.example.org/api/v4/projects/3247/packages/npm/
registry=https://nexus.example.org/repository/registry.npmjs.org/
//nexus.example.org/repository/registry.npmjs.org/:_auth="xxxxx"
//git.example.org/api/v4/projects/3247/packages/npm/:_authToken=xxxx

npm ci --loglevel verbose:

npm verbose cli /usr/local/bin/node /usr/local/bin/npm
npm info using [email protected]
npm info using [email protected]
npm verbose title npm ci
npm verbose argv "ci" "--prefer-offline" "--loglevel" "verbose"
npm verbose logfile logs-max:10 dir:/builds/our/example/frontend/.npm/_logs/2025-03-13T13_17_11_472Z-
npm verbose logfile /builds/our/example/frontend/.npm/_logs/2025-03-13T13_17_11_472Z-debug-0.log
npm http fetch GET 404 https://registry.npmjs.org/@our/example-lib 220ms (cache skip)
npm verbose stack HttpErrorGeneral: 404 Not Found - GET https://registry.npmjs.org/@our/example-lib - Not found
npm verbose stack     at /usr/local/lib/node_modules/npm/node_modules/npm-registry-fetch/lib/check-response.js:103:15
npm verbose stack     at process.processTicksAndRejections (node:internal/process/task_queues:105:5)
npm verbose stack     at async RegistryFetcher.packument (/usr/local/lib/node_modules/npm/node_modules/pacote/lib/registry.js:90:19)
npm verbose stack     at async RegistryFetcher.manifest (/usr/local/lib/node_modules/npm/node_modules/pacote/lib/registry.js:128:23)
npm verbose stack     at async #fetchManifest (/usr/local/lib/node_modules/npm/node_modules/@npmcli/arborist/lib/arborist/build-ideal-tree.js:1202:20)
npm verbose stack     at async #nodeFromEdge (/usr/local/lib/node_modules/npm/node_modules/@npmcli/arborist/lib/arborist/build-ideal-tree.js:1040:19)
npm verbose stack     at async #buildDepStep (/usr/local/lib/node_modules/npm/node_modules/@npmcli/arborist/lib/arborist/build-ideal-tree.js:904:11)
npm verbose stack     at async Arborist.buildIdealTree (/usr/local/lib/node_modules/npm/node_modules/@npmcli/arborist/lib/arborist/build-ideal-tree.js:181:7)
npm verbose stack     at async CI.exec (/usr/local/lib/node_modules/npm/lib/commands/ci.js:63:5)
npm verbose stack     at async Npm.exec (/usr/local/lib/node_modules/npm/lib/npm.js:207:9)
npm verbose statusCode 404
npm verbose pkgid @our/example-lib@^0.0.1-89-a2c758d4
npm error code E404
npm error 404 Not Found - GET https://registry.npmjs.org/@our/example-lib - Not found
npm error 404
npm error 404  '@our/example-lib@^0.0.1-89-a2c758d4' is not in this registry.
npm error 404
npm error 404 Note that you can also install from a
npm error 404 tarball, folder, http url, or git url.
npm verbose cwd /builds/our/example/frontend
npm verbose os Linux 6.6.56+
npm verbose node v23.9.0
npm verbose npm  v11.2.0
npm verbose exit 1
npm verbose code 1
npm error A complete log of this run can be found in: /builds/our/example/frontend/.npm/_logs/2025-03-13T13_17_11_472Z-debug-0.log

Expected Behavior

• npm uses the configured registries to look up modules (internal registry for scope @our, nexus mirror for everything else)
• npm ci fails because package.json and package-lock.json do not match, without attempting to resolve the missing package version from package.json against the public (or any) registry.

Steps To Reproduce

See config above. Then run npm ci

Environment

• npm: 11.2.0
• Node.js: 23.9.0
• OS Name: Linux 6.6.56+
• System Model Name:
• npm config:

; "user" config from /root/.npmrc
@our:registry = "https://git.example.org/api/v4/projects/3247/packages/npm/"
//git.example.org/api/v4/projects/3247/packages/npm/:_authToken = (protected)
//nexus.example.org/repository/registry.npmjs.org/:_auth = (protected)
cache = "/builds/our/example/frontend/.npm"
registry = "https://nexus.example.org/repository/registry.npmjs.org/"
; node bin location = /usr/local/bin/node
; node version = v23.9.0
; npm local prefix = /builds/our/example/frontend
; npm version = 11.2.0
; cwd = /builds/our/example/frontend
; HOME = /root
; Run `npm config ls -l` to show all defaults.

[creckord]

What I find very confusing is that this log fundamentally differs from a successful npm ci run, in that it immediately goes for the http fetch of the broken dependency, whereas the log for the working case looks like this:

npm verbose cli /usr/local/bin/node /usr/local/bin/npm
npm info using [email protected]
npm info using [email protected]
npm verbose title npm ci
npm verbose argv "ci" "--prefer-offline" "--loglevel" "verbose"
npm verbose logfile logs-max:10 dir:/builds/our/example/frontend/.npm/_logs/2025-03-13T15_05_26_737Z-
npm verbose logfile /builds/our/example/frontend/.npm/_logs/2025-03-13T15_05_26_737Z-debug-0.log
npm verbose reify failed optional dependency /builds/our/example/frontend/node_modules/fsevents
npm verbose reify failed optional dependency /builds/our/example/frontend/node_modules/@rollup/rollup-win32-x64-msvc
...
npm verbose reify failed optional dependency /builds/our/example/frontend/node_modules/@esbuild/aix-ppc64
npm http cache yocto-queue@https://nexus.example.org/repository/registry.npmjs.org/yocto-queue/-/yocto-queue-0.1.0.tgz 0ms (cache hit)
npm http cache yn@https://nexus.example.org/repository/registry.npmjs.org/yn/-/yn-3.1.1.tgz 0ms (cache hit)
...
npm http cache @our/example-lib@https://git.example.org/api/v4/projects/3255/packages/npm/@our/example-lib/-/@our/example-lib-0.0.1-89-a2c758d4.tgz 0ms (cache hit)
...
npm http fetch GET 200 https://nexus.example.org/repository/registry.npmjs.org/text-decoder/-/text-decoder-1.2.3.tgz 1842ms (cache miss)
...
npm http fetch GET 200 https://git.example.org/api/v4/projects/3255/packages/npm/@our/example-lib/-/@our/example-lib-0.0.1-89-a2c758d4.tgz 3895ms (cache miss)
...

reify aside, I would have expected to see some npm http cache calls in the other log as well...