lockFileMaintenance modifies package-lock.json in an invalid way

[rarkins]

Discussed in #36118

^{Originally posted by tarioch May 24, 2025}

How are you running Renovate?

Self-hosted Renovate

If you're self-hosting Renovate, tell us which platform (GitHub, GitLab, etc) and which version of Renovate.

Gitea, Renovate 40.26.1

Please tell us more about your question or problem

lockFileMaintenance seems to update the package-lock.json into an invalid state. An npm ci fails with

`npm ci` can only install packages when your package.json and package-lock.json or npm-shrinkwrap.json are in sync. Please update your lock file with `npm install` before continuing.

The lockFileMaintenance branch is completely fresh, if I run

npm install --package-lock-only --no-audit --ignore-scripts

manually, there is no change happening to the package-lock.json checked into master.

I'm using locally the same versions that I see in the logfile from renovate (node 22.16.0, npm 10.9.2).

Logs (if relevant)

Logs

DEBUG: npm.updateArtifacts(src/money/static/package.json) (repository=tarioch/money, branch=feature/RENOVATE_lock-file-maintenance)
DEBUG: No packageManager updates - returning null (repository=tarioch/money, branch=feature/RENOVATE_lock-file-maintenance)
DEBUG: No package files need updating (repository=tarioch/money, branch=feature/RENOVATE_lock-file-maintenance)
DEBUG: Getting updated lock files (repository=tarioch/money, branch=feature/RENOVATE_lock-file-maintenance)
DEBUG: Writing package.json files (repository=tarioch/money, branch=feature/RENOVATE_lock-file-maintenance)
       "packageFiles": ["src/money/static/package.json"]
DEBUG: Writing src/money/static/package-lock.json (repository=tarioch/money, branch=feature/RENOVATE_lock-file-maintenance)
DEBUG: Writing any updated package files (repository=tarioch/money, branch=feature/RENOVATE_lock-file-maintenance)
DEBUG: Found 0 npm host rule(s) (repository=tarioch/money, branch=feature/RENOVATE_lock-file-maintenance)
DEBUG: Found 1 host rule(s) without host type (repository=tarioch/money, branch=feature/RENOVATE_lock-file-maintenance)
DEBUG: Found 1 host rule(s) without host type after dropping duplicates (repository=tarioch/money, branch=feature/RENOVATE_lock-file-maintenance)
DEBUG: Writing updated .npmrc file to src/money/static/.npmrc (repository=tarioch/money, branch=feature/RENOVATE_lock-file-maintenance)
DEBUG: Generating package-lock.json for src/money/static (repository=tarioch/money, branch=feature/RENOVATE_lock-file-maintenance)
DEBUG: Spawning npm install to create src/money/static/package-lock.json (repository=tarioch/money, branch=feature/RENOVATE_lock-file-maintenance)
DEBUG: Found npm constraint in package.json engines: 10.9.2 (repository=tarioch/money, branch=feature/RENOVATE_lock-file-maintenance)
DEBUG: Updating lock file only (repository=tarioch/money, branch=feature/RENOVATE_lock-file-maintenance)
DEBUG: Using node constraint "22.16.0" from package.json (repository=tarioch/money, branch=feature/RENOVATE_lock-file-maintenance)
DEBUG: Removing src/money/static/package-lock.json first due to lock file maintenance upgrade (repository=tarioch/money, branch=feature/RENOVATE_lock-file-maintenance)
DEBUG: Setting CONTAINERBASE_CACHE_DIR to /tmp/renovate/cache/containerbase (repository=tarioch/money, branch=feature/RENOVATE_lock-file-maintenance)
DEBUG: Using containerbase dynamic installs (repository=tarioch/money, branch=feature/RENOVATE_lock-file-maintenance)
DEBUG: Executing command (repository=tarioch/money, branch=feature/RENOVATE_lock-file-maintenance)
       "command": "install-tool node 22.16.0"
DEBUG: exec completed (repository=tarioch/money, branch=feature/RENOVATE_lock-file-maintenance)
       "durationMs": 6305,
       "stdout": "[21:42:41.525] INFO (68): Installing tool node@22.16.0...\nv22.16.0\n10.9.2\n0.32.0\n[21:42:46.633] INFO (68): Install tool node succeeded in 5.1s.\n",
       "stderr": ""
DEBUG: Executing command (repository=tarioch/money, branch=feature/RENOVATE_lock-file-maintenance)
       "command": "install-tool npm 10.9.2"
DEBUG: exec completed (repository=tarioch/money, branch=feature/RENOVATE_lock-file-maintenance)
       "durationMs": 3236,
       "stdout": "[21:42:47.753] INFO (105): Installing npm npm@10.9.2...\n10.9.2\n[21:42:50.731] INFO (105): Install tool npm succeeded in 2.9s.\n",
       "stderr": ""
DEBUG: Executing command (repository=tarioch/money, branch=feature/RENOVATE_lock-file-maintenance)
       "command": "hash -d npm 2>/dev/null || true"
DEBUG: exec completed (repository=tarioch/money, branch=feature/RENOVATE_lock-file-maintenance)
       "durationMs": 15,
       "stdout": "",
       "stderr": ""
DEBUG: Executing command (repository=tarioch/money, branch=feature/RENOVATE_lock-file-maintenance)
       "command": "npm install --package-lock-only --no-audit --ignore-scripts"
DEBUG: exec completed (repository=tarioch/money, branch=feature/RENOVATE_lock-file-maintenance)
       "durationMs": 27124,
       "stdout": "\nup to date in 27s\n",
       "stderr": ""
DEBUG: src/money/static/package-lock.json needs updating (repository=tarioch/money, branch=feature/RENOVATE_lock-file-maintenance)
DEBUG: Updated 1 lock files (repository=tarioch/money, branch=feature/RENOVATE_lock-file-maintenance)
       "updatedArtifacts": ["src/money/static/package-lock.json"]
DEBUG: 1 file(s) to commit (repository=tarioch/money, branch=feature/RENOVATE_lock-file-maintenance)
DEBUG: Preparing files for committing to branch feature/RENOVATE_lock-file-maintenance (repository=tarioch/money, branch=feature/RENOVATE_lock-file-maintenance)
DEBUG: Setting git author name: Renovate (repository=tarioch/money, branch=feature/RENOVATE_lock-file-maintenance)

Reproduction: https://github.com/tarioch/36118_lockfilemaintenance