npm install against a SYMLINKED node_modules in a git worktree corrupts the lockfile
A Docker npm ci build failed on a lockfile that an agent generated in a git worktree whose node_modules was symlinked to a shared install.
If you symlink a worktree node_modules to a shared/root install (common to avoid re-installing per worktree) and then run npm install to add a dependency, npm resolves the WHOLE tree against that contaminated shared node_modules. It writes a package-lock.json that looks fine locally — npm install --package-lock-only reports no change — but a clean Docker npm ci rejects it with errors like Missing: yaml@2.9.0 from lock file, because a transitive (e.g. postcss-load-config resolved to a different version pulling an unpinned dep) was recorded inconsistently. Fix: remove the node_modules symlink, delete package-lock.json, and regenerate with npm install --package-lock-only so resolution happens fresh from the registry against package.json, not the shared tree. Also npm 11 (local) vs npm 10 (node:20 Docker) differ in strictness, compounding it.
When npm ci fails with Missing-from-lock but local npm says the lock is fine, suspect a lockfile generated against a symlinked/shared node_modules; regenerate it with the symlink removed.