[BUG] `npm i` after dependabot bumps results in `"peer": true` added to multiple pkgs

[adamlui]

Is there an existing issue for this?

• I have searched the existing issues

This issue exists in the latest npm version

• I am using the latest npm

Current Behavior

Every time dependabot bumps stuff (usually ESLint related pkgs) and I locally sync w/ npm i the package-lock.json has been adding peer: "true" to eslint and acorn (latest example adamlui/ai-web-extensions@122f420)

I believe this started happening when I updated to 11.6.0 or .1

Expected Behavior

package-lock.json should remain unchanged when dependency resolution is identical

Steps To Reproduce

1. Open cmd.exe in Win10
2. With default npm config
3. Run npm i after a dependabot npm pkg bump
4. See package-lock.json got modified

Environment

• npm: 11.6.2
• Node.js: 22.15.0
• OS Name: Windows 10
• System Model Name: HP Notebook
• npm config: default

; node bin location = C:\Program Files\nodejs\node.exe
; node version = v22.15.0
; npm local prefix = e:\js\userscripts\.public
; npm version = 11.6.2
; cwd = e:\js\userscripts\.public
; HOME = C:\Users\adaaaam
; Run `npm config ls -l` to show all defaults.

[otaviojacobi]

@adamlui maybe duplicated from #8628 ?

[adamlui]

I did read yours before posting this, definitely the cause could be identical

[nikunj-kohli]

I would like to contribute here, I request you to assign me

[adamlui]

@nikunj-kohli me? or someone from npm (I think you should just make the fix imo they are chillin)

[dyedwiper]

After updating to npm@11.6.2 I also see "peer": true added to multiple packages in my project. What does "peer": true even mean? It is not documented here: https://docs.npmjs.com/cli/v11/configuring-npm/package-lock-json

[liamcmitchell]

Should be fixed by #8645 which should be released with 11.6.3. See arborist readme for meaning of dep flags.