npm 11.7.0 and current nodejs24 npm 11.6.2 are incompatible

[kroney]

Is there an existing issue for this?

• I have searched the existing issues

Package ecosystem

npm

Package manager version

11.7.0 (dependabot) vs 11.6.2 (default node24 npm)

Language version

NodeJs 24

Manifest location and content before the Dependabot update

No response

dependabot.yml content

No response

Updated dependency

No response

What you expected to see, versus what you actually saw

Dependabot uses npm 11.7.0 and nodejs24, meanwhile nodejs 24 ships with npm 11.6.2 by default right now.
They produce different lock files when running npm install (see npm/cli#8431).
Our dependabot PRs fail then because we run our jenkins tests with npm ci, so the build fails.

Native package manager behavior

No response

Images of the diff or a link to the PR, issue, or logs

No response

Smallest manifest that reproduces the issue

No response

[yeikel]

Do you pin to any specific version in your package.json?

[ffried]

We're running into the same problem. Dependabot updates the lock file with rpm 11.7.0, which then causes npm clean-install to fail. We use GitHub Actions and setup our environment using actions/setup-node with node-version: 24. Which uses the default Node24 npm version (11.6.2).

[sindrisig]

Running into this issue as well.

[kroney]

fyi it might help to delete the package-lock.json if it's still version 2 and recreate it with version 3

[DerZade]

We use lockfile version 3 with Node 22 and still have the same issue :(

[drowe-official]

Do you pin to any specific version in your package.json?

Would this fix the issue? My understanding is the NPM version dependabot uses is fixed at

dependabot-core/npm_and_yarn/Dockerfile

Line 24 in f71afcb

ARG NPM_VERSION=11.7.0

[DerZade]

Yes the engines field in the package.json is ignored. The same is true for files like .nvmrc etc.

[lildesert]

Having the same issue, which makes all dependabot PRs fail. It was introduced by this PR.
I'm using node 24 which comes with npm 11.6.2