enforce engines like node and rpm version with a `npm ci` and its package-lock.json?

Question

I see in How can I specify the required Node.js version in package.json? that I can specify engine-strict=true & a package.json like:

 "engines" : { 
    "npm" : ">=8.0.0 <9.0.0",
    "node" : ">=16.0.0 <17.0.0"  
 }

but I use npm ci for clean installs.

How can I ensure correct engines (npm, node) are used, as these are not mentioned in the package-lock.json ?