Which NPM versions are affected by npm:ELOCKVERIFY?

npm v5.0.0 and newer (lockfile verification).

npm ERR! code ELOCKVERIFY

Q: How can I manually validate npm:ELOCKVERIFY?

Confirm lockfile exists and is not malformed: `node -e "JSON.parse(require(\"fs\").readFileSync(\"package-lock.json\",\"utf8\")); console.log(\"ok\")"`. Compare npm versions: `node -v` and `npm -v` (local vs CI).

What This Error Means

npm returned ELOCKVERIFY because the lockfile and installed dependency tree do not agree with what npm expected to verify.

How to Fix It

If you have a lockfile, regenerate it intentionally (delete node_modules, then run npm install).

Commit the lockfile changes and keep npm versions consistent across dev and CI.

If this happens only in CI, ensure CI uses the same Node/npm versions as local.

Why It Happens

package-lock.json is out of sync with package.json (or was manually edited).

Different npm versions generated different lockfile formats and metadata.

A proxy registry served inconsistent metadata during lockfile generation.

How to Verify

Run npm ci (only if package-lock.json exists) and confirm verification succeeds.

Run npm ls and confirm the tree is consistent.

Manual checksum validation

Confirm lockfile exists and is not malformed:node -e "JSON.parse(require(\"fs\").readFileSync(\"package-lock.json\",\"utf8\")); console.log(\"ok\")"

Compare npm versions:node -v and npm -v (local vs CI).

Examples

npm ERR! code ELOCKVERIFY
npm ERR! Errors were found in your package-lock.json, run npm install to fix them.

How npm verifies package integrity

npm uses the lockfile to produce a deterministic dependency tree in CI.

When lockfile metadata is inconsistent or generated by different toolchains, verification can fail.

Keeping Node/npm versions aligned reduces lockfile drift.

Prevention Tips

Pin Node/npm versions in CI.

Avoid manual lockfile edits.

Use a stable proxy/cache registry to reduce metadata drift.

Where This Can Be Triggered

github.com/npm/cli/blob/417daa72b09c5129e7390cd12743ef31bf3ddb83/lib/commands/ci.js

This is the lockfile verification path used by npm ci. Lockfile/package.json mismatches are detected here and can surface as ELOCKVERIFY in CLI output. - GitHub

    // verifies that the packages from the ideal tree will match
    // the same versions that are present in the virtual tree (lock file)
    // throws a validation error in case of mismatches
    const errors = validateLockfile(virtualInventory, arb.idealTree.inventory)
    if (errors.length) {
      throw this.usageError(
        '`npm ci` can only install packages when your package.json and ' +