[BUG] npm 11.4.1 unable to install packages from git repo

[animechitransh]

Is there an existing issue for this?

• I have searched the existing issues

This issue exists in the latest npm version

• I am using the latest npm

Current Behavior

When there is dependency being installed from git repo(git+ssh), npm latest (v11.4.1) is not downloading the dependency.
The lock file also does not show the dependency being downloaded.
Please note that the dependency does get downloaded and installed properly in v11.2.0

Possible problematic commit: https://github.com/npm/cli/pull/8312/files

Expected Behavior

Packages from git+ssh should get installed properly

Steps To Reproduce

1. Create a problematic package.json file with packages from git
2. npm i --verbose
3. npm throws error

npm warn reify invalid or damaged lockfile detected
npm warn reify please re-try this operation once it completes
npm warn reify so that the damage can be corrected, or perform
npm warn reify a fresh install with no lockfile if the problem persists.
npm verbose reify unrecognized node in tree /home/jenkins/workspace/xxx/yyyy/zzzz/node_modules/my-private-package

Environment

• npm: 11.4.1
• Node.js: 20.19.2
• OS Name: Ubuntu:20:04
• System Model Name: EC2 instance
• npm config:

[alexsch01]

do you have a way for us to reproduce the issue?

does this issue happen on npm 11.4.0?

[milaninfy]

@animechitransh
I have tried to reproduce the issue but I am not able to get the error that you mentioned. Here are the output from my run.

~/workarea/rep/test-git $ cat package.json
{
  "name": "test-git",
  "version": "1.0.0",
  "description": "",
  "main": "index.js",
  "scripts": {
    "test": "echo \"Error: no test specified\" && exit 1"
  },
  "dependencies": {
    "test": "git+ssh://git@github.com:milaninfy/test-pkg.git"
  },
  "keywords": [],
  "author": "",
  "license": "ISC",
  "type": "commonjs"
}

npm install

~/workarea/rep/test-git $ npm i -ddd
npm verbose cli /Users/milaninfy/.nvm/versions/node/v22.14.0/bin/node /Users/milaninfy/.nvm/versions/node/v22.14.0/bin/npm
npm info using npm@11.4.1
npm info using node@v22.14.0
npm silly config load:file:/Users/milaninfy/.nvm/versions/node/v22.14.0/lib/node_modules/npm/npmrc
npm warn -ddd is not a valid single-hyphen cli flag and will be removed in the future
npm silly config load:file:/Users/milaninfy/workarea/rep/test-git/.npmrc
npm silly config load:file:/Users/milaninfy/.npmrc
npm silly config load:file:/Users/milaninfy/.nvm/versions/node/v22.14.0/etc/npmrc
npm verbose title npm i
npm verbose argv "i" "--loglevel" "silly"
npm verbose logfile logs-max:10 dir:/Users/milaninfy/.npm/_logs/2025-05-28T14_48_25_272Z-
npm verbose logfile /Users/milaninfy/.npm/_logs/2025-05-28T14_48_25_272Z-debug-0.log
npm silly logfile start cleaning logs, removing 1 files
npm silly packumentCache heap:4345298944 maxSize:1086324736 maxEntrySize:543162368
npm silly logfile done cleaning log files
npm silly idealTree buildDeps
npm silly fetch manifest test@git+ssh://git@github.com:milaninfy/test-pkg.git
npm silly placeDep ROOT test@1.0.0 OK for: test-git@1.0.0 want: git+ssh://git@github.com:milaninfy/test-pkg.git
npm silly reify moves {}
npm silly audit bulk request { test: [ '1.0.0' ] }
npm http fetch POST 200 https://registry.npmjs.org/-/npm/v1/security/advisories/bulk 230ms
npm silly audit report {}
npm http fetch GET 200 https://codeload.github.com/milaninfy/test-pkg/tar.gz/ca2f3c8b472ddc4779d4134781060bd66462cfda 247ms (cache revalidated)
npm silly packumentCache heap:4345298944 maxSize:1086324736 maxEntrySize:543162368
npm silly ADD node_modules/test

added 1 package, and audited 2 packages in 1s

found 0 vulnerabilities
npm verbose cwd /Users/milaninfy/workarea/rep/test-git
npm verbose os Darwin 24.5.0
npm verbose node v22.14.0
npm verbose npm  v11.4.1
npm verbose exit 0
npm info ok

inspecting node_modules to check if it installed the package

~/workarea/rep/test-git $ tree node_modules 
node_modules
└── test
    ├── package.json
    └── README.md

package-lock.json

~/workarea/rep/test-git $ cat package-lock.json 
{
  "name": "test-git",
  "version": "1.0.0",
  "lockfileVersion": 3,
  "requires": true,
  "packages": {
    "": {
      "name": "test-git",
      "version": "1.0.0",
      "license": "ISC",
      "dependencies": {
        "test": "git+ssh://git@github.com:milaninfy/test-pkg.git"
      }
    },
    "node_modules/test": {
      "version": "1.0.0",
      "resolved": "git+ssh://git@github.com/milaninfy/test-pkg.git#ca2f3c8b472ddc4779d4134781060bd66462cfda",
      "license": "ISC"
    }
  }
}

[rickhall]

I just upgraded from npm 11.2 to 11.4.1 this morning and I started seeing this issue too. I was trying to "npm update" a git URL to my local gitlab instance and it complains about the lock file being corrupt and removes my dependency from package-lock.json and from node_modules. I downgraded to 11.2 and the issue was resolved. For the record, I tried 11.4 and 11.3 too, but they both failed similarly.

I am on Fedora 42 and node 20.17.0.

[alexsch01]

@rickhall if possible can you share your package-lock.json?

[rickhall]

Here is my working package-lock.json file with npm 11.2.0.

All I did was upgrade to 11.4.1 and then do a "npm update aq-mapper" which is one of my git URL dependencies.

I did try to start from scratch with no package-lock and removing my git URL dependencies and trying to re-add them to package.json, but nothing worked.

package-lock.json

[milaninfy]

@rickhall will you be able to provide full run logs/output, steps, package.json, configs etc ?

[rickhall]

@milaninfy Probably. Just tell me what exactly you want me to do.

[milaninfy]

My goal here is to try to reproduce the issue. So If i have the exact setup or any minimum reproduction case that you can reproduce this behaviour at your will then please provide those setup/steps so I can replicate the same at my end to better understand what's happening at your end as for me it's working as expected so far.

[rickhall]

I am not sure it is going to be that simple, since it doesn't seem to be project related, rather it appears to be system config related. Here is a session I just performed which shows the issue:

$ npm --version
11.4.1
$ mkdir npm-error
$ cd npm-error/
$ npm init
This utility will walk you through creating a package.json file.
It only covers the most common items, and tries to guess sensible defaults.

See `npm help init` for definitive documentation on these fields
and exactly what they do.

Use `npm install <pkg>` afterwards to install a package and
save it as a dependency in the package.json file.

Press ^C at any time to quit.
package name: (npm-error) 
version: (1.0.0) 
description: Try to recreate npm git url error
entry point: (index.js) 
test command: 
git repository: 
keywords: 
author: 
license: (ISC) 
type: (commonjs) module
About to write to /home/rickhall/Projects/npm-error/package.json:

{
  "name": "npm-error",
  "version": "1.0.0",
  "description": "Try to recreate npm git url error",
  "main": "index.js",
  "scripts": {
    "test": "echo \"Error: no test specified\" && exit 1"
  },
  "author": "",
  "license": "ISC",
  "type": "module"
}


Is this OK? (yes) yes

$ npm install git@gitlab.glastender.com:glastender/aq-mapper.git
npm warn reify invalid or damaged lockfile detected
npm warn reify please re-try this operation once it completes
npm warn reify so that the damage can be corrected, or perform
npm warn reify a fresh install with no lockfile if the problem persists.
npm warn reify invalid or damaged lockfile detected
npm warn reify please re-try this operation once it completes
npm warn reify so that the damage can be corrected, or perform
npm warn reify a fresh install with no lockfile if the problem persists.

added 72 packages, and audited 73 packages in 17s

found 0 vulnerabilities
$

[animechitransh]

@milaninfy Apologies, I was out sick. I saw the issue while working in work(organization) codebase with

• Having private packages repo
• GitHub Enterprise
  I'll try to reproduce the repo with publicly available package/ code else will try to share sanitized logs
  cc: @rickhall

[alexsch01]

$ npm install git@gitlab.glastender.com:glastender/aq-mapper.git
npm warn reify invalid or damaged lockfile detected
npm warn reify please re-try this operation once it completes
npm warn reify so that the damage can be corrected, or perform
npm warn reify a fresh install with no lockfile if the problem persists.
npm warn reify invalid or damaged lockfile detected
npm warn reify please re-try this operation once it completes
npm warn reify so that the damage can be corrected, or perform
npm warn reify a fresh install with no lockfile if the problem persists.

Yeah this can't be reproduced at the moment since that GitLab server is private