Early access Faultline Teams — organizational memory for recurring CI failures across repos

Package manager mismatch in lockfile

CI used one package manager (e.g., npm) but the repository has a lockfile from a different manager (e.g., pnpm or yarn), causing version and integrity mismatches.

package-manager-mismatch medium confidence build npmpnpmyarn

Matched signals

  • pnpm-lock.yaml
  • yarn.lock
  • package-lock.json
  • lockfile mismatch
  • lockfile integrity
  • integrity mismatch

Package manager mismatch in lockfile

What this failure means

CI used one package manager (e.g., npm) but the repository has a lockfile from a different manager (e.g., pnpm or yarn), causing version and integrity mismatches.

Symptoms

Faultline looks for one or more of these log fragments:

pnpm-lock.yaml
yarn.lock
package-lock.json
lockfile mismatch
lockfile integrity
integrity mismatch

Diagnosis

The CI job is using a package manager that does not match the lockfile in the repository. Common scenarios:

  • Repository has pnpm-lock.yaml but CI runs npm install or npm ci.
  • Repository has yarn.lock but CI runs npm install or npm ci.
  • CI was updated to use a new package manager but the workflow file was not updated.
  • The wrong package manager is installed on the CI runner.

Symptoms include hash mismatches, integrity errors, or unexpected version conflicts.

Fix steps

  1. Check which lockfile exists in the repository:

    ls -la package-lock.json pnpm-lock.yaml yarn.lock 2>/dev/null

  2. Identify the intended package manager. Most projects include it in:

    • package.json under engines.npm, engines.yarn, or engines.pnpm
    • .npmrc, .yarnrc, or .pnpmrc files
    • CI workflow comments or documentation

  3. Update the CI workflow to use the correct package manager and command:

    • For npm: npm ci
    • For yarn: yarn install --frozen-lockfile or yarn ci
    • For pnpm: pnpm install --frozen-lockfile

  4. Ensure the correct package manager is installed on the runner. Refer to your CI platform’s documentation for switching package managers.

Validation

  • <package-manager> install completes without integrity or hash errors.
  • ls -la package-lock.json pnpm-lock.yaml yarn.lock confirms the expected lockfile matches the package manager.
  • Re-run the CI job.

Why it matters

Package managers produce different lockfile formats and apply different dependency resolution strategies. Mixing them leads to non-deterministic installs and hard-to-debug downstream failures.

Prevention

  • Document the intended package manager in package.json and CI workflow comments.
  • Add a CI step that checks for lockfile/package-manager consistency before installing.
  • Use tooling like ~/.profilerc or a .tool-versions file to enforce the package manager version globally.

Try it locally

ls -la package-lock.json yarn.lock pnpm-lock.yaml
npm install
npm ls

How Faultline detects it

Use faultline explain package-manager-mismatch to see the full playbook.

faultline analyze build.log
faultline explain package-manager-mismatch

Generated from playbooks/bundled/log/build/package-manager-mismatch.yaml. Do not edit directly.

Try it on your own failed log

$ faultline analyze failed.log
Install Faultline CLI View on GitHub
Want this across every CI run? Faultline Teams tracks recurring failures across all your repos and surfaces patterns in a shared dashboard.