[BUG] On v11.6.1 `npm i` or `npm update` generates different lock file contents on second run

[aalej]

Is there an existing issue for this?

• I have searched the existing issues

This issue exists in the latest npm version

• I am using the latest npm

Current Behavior

When using npm v11.61 or v11.6.2. The second run of npm i generates a different lock file compared to the first npm i

Expected Behavior

npm i should generate the same lock file contents

Steps To Reproduce

See this mcve for the repro

1. Run git clone https://github.com/aalej/tools-issue-9295_npm.git, then cd into the directory
2. Run rm -rf node_modules package-lock.json
3. Run npm i
4. Run npm ls picomatch
   • No issue raised
5. Run git add . then git commit -m "checkpoint"(or run bash auto-commit.sh)
   • This is just to check the diff
6. Run npm i again or npm update
7. Run git diff

$ git diff
diff --git a/package-lock.json b/package-lock.json
index 60bf11d..ff02a5f 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -8033,20 +8033,6 @@
         }
       }
     },
-    "node_modules/tinyglobby/node_modules/picomatch": {
-      "version": "4.0.3",
-      "resolved": "https://registry.npmjs.org/picomatch/-/picomatch-4.0.3.tgz",
-      "integrity": "sha512-5gTmgEY/sqK6gFXLIsQNH19lWb4ebPDLA4SdLP7dsWkIXHWlG66oPuVvXSGFPppYZz8ZDZq0dYYrbHfBCVUb1Q==",
-      "license": "MIT",
-      "optional": true,
-      "peer": true,
-      "engines": {
-        "node": ">=12"
-      },
-      "funding": {
-        "url": "https://github.com/sponsors/jonschlinkert"
-      }
-    },
     "node_modules/tmp": {
       "version": "0.2.5",
       "resolved": "https://registry.npmjs.org/tmp/-/tmp-0.2.5.tgz",

Environment

• npm:
• Node.js: 22.21.1
• OS Name: macOS
• System Model Name: Sequioa 15.7.1
• npm config:

$ npm config ls
; node bin location = /usr/local/bin/node
; node version = v22.21.1
; npm local prefix = /Users/[REDACTED]/issues/9295-2
; npm version = 11.6.1
; cwd = /Users/[REDACTED]/issues/9295-2
; HOME = /Users/[REDACTED]
; Run `npm config ls -l` to show all defaults.

[DaSchTour]

Maybe related to #8669

[MRagunandhan24]

This issue is similar to #8726 , as the second run of npm i modifies the package.lock file. If your instance is unique, please provide more details so we can check.

[liamcmitchell]

This removed dep is flagged "optional": true, "peer": true so probably another case of incorrect pruning introduced in #8431. This should be fixed by #8645 released with npm v11.6.3.

[aalej]

Hey y'all, sorry I wasn't able to respond to this sooner. I tried the same steps using npm v11.6.3 and it seems to be fixed! Thanks @liamcmitchell! I'll go ahead and close this.