Out of sync manifest & lockfile in the project

Fixing out of sync project warning

You may receive one of the following errors in the CLI (including IDE or CI/CD):

Your package.json and yarn.lock are probably out of sync. Please run "yarn install" and try again”.

Your package.json and package-lock.json are probably out of sync. Please run "npm install" and try again”.

What does this mean?

Out of sync lock file

Sometimes a project may become out of sync between the lockfile and the manifest file. This might happen if the package.json is modified/updated, but the lockfile is not. 

If Snyk tests detect this you will receive a warning that some dependencies will not be possible to test until the files are back in sync. This can be resolved by making sure the default branch of the project has a fully synced-up lockfile pushed to it after running npm install or yarn install. 

In some cases, it may be necessary to delete the node_modules folder and the package-lock.json and run npm install again to force a full reinstall. 

You can also use the following argument to ignore out of sync errors:

--strict-out-of-sync=false

Unsupported lockfile version (npm)

If the out of sync error is not resolved even with a successful npm install, please check your lockfile version.  If the version of lockfile created is not currently supported, you may need to force a backward compatible lockfile version with npm install --lockfile-version=<versionnumber>.
eg:

npm install --lockfile-version=2

NPM9, Lockfile version 3, and Workspaces

GIT (SCM) support for npm9, lockfile version 3, and npm workspaces is currently in beta. If not participating in the Beta program, projects with these attributes will give an out of sync message when using a GIT integration.

Please see Snyk for npm for latest details of current support matrix.