Our package-lock.json specified the stable version 1.3.2 or newer, so it installed the latest version 1.3.3, which got published just a few minutes earlier.
I assume they meant package.json and this only happens when you run npm install, not npm ci?
Isn't my package-lock.json specifying exactly which version of dependencies to install for npm ci?
npm install, notnpm ci?npm ci?