650

What is the practical difference between npm install and npm update? When should I use which?

Piper
  • 1,266
  • 3
  • 15
  • 26
Borek Bernard
  • 50,745
  • 59
  • 165
  • 240

6 Answers6

790

The difference between npm install and npm update handling of package versions specified in package.json:

{
  "name":          "my-project",
  "version":       "1.0",                             // install   update
  "dependencies":  {                                  // ------------------
    "already-installed-versionless-module":  "*",     // ignores   "1.0" -> "1.1"
    "already-installed-semver-module":       "^1.4.3" // ignores   "1.4.3" -> "1.5.2"
    "already-installed-versioned-module":    "3.4.1"  // ignores   ignores
    "not-yet-installed-versionless-module":  "*",     // installs  installs
    "not-yet-installed-semver-module":       "^4.2.1" // installs  installs
    "not-yet-installed-versioned-module":    "2.7.8"  // installs  installs
  }
}

Summary: The only big difference is that an already installed module with fuzzy versioning ...

  • gets ignored by npm install
  • gets updated by npm update

Additionally: install and update by default handle devDependencies differently

  • npm install will install/update devDependencies unless --production flag is added
  • npm update will ignore devDependencies unless --dev flag is added

Why use npm install at all?

Because npm install does more when you look besides handling your dependencies in package.json. As you can see in npm install you can ...

  • manually install node-modules
  • set them as global (which puts them in the shell's PATH) using npm install -g <name>
  • install certain versions described by git tags
  • install from a git url
  • force a reinstall with --force
Stan Kurdziel
  • 5,476
  • 1
  • 43
  • 42
AlexGrafe
  • 8,292
  • 1
  • 15
  • 12
  • 22
    and what about `~1.3` ? – Offirmo Feb 27 '14 at 15:35
  • 6
    what if the version is like ^5.0.9? And is it possible to make `npm install --save somePackage` save the * to dependencies? – KwiZ Apr 07 '15 at 12:13
  • I've seen where npm install reports errors on missing dependencies and npm update does not. – Larry Chu May 09 '16 at 19:50
  • 6
    I'd also note that scripts like `postinstall` run on install, but not on update. – Michael Marvick Jun 23 '16 at 03:45
  • 2
    If `install` and `update` work differently on git URLs, git tags, etc. specified in the `package.json` then it would be great to add those cases to the example. – joeytwiddle Oct 27 '16 at 10:29
  • 2
    @Offirmo the tilde in the fuzzy versioning means "update to the latest minor (bugfix) release of this package", the minor version being the last number in the version, i.e. `1.3.0 -> 1.3.1` This is similar to `^1.3.0`, where the `^` updates major version, i.e. `1.3.0 -> 1.4.0`. – Boyan Kushlev Nov 29 '17 at 08:59
  • 3
    @BoyanKushlev I think you mean minor and patch/bugfix, not major and minor. Major is 1 for all your examples. – jdelman Feb 08 '18 at 19:37
  • 1
    Also, npm install will generate a `package-lock.json` – hitautodestruct Jul 12 '18 at 08:22
  • 2
    In what way does `npm update` **ignore** devDependencies? I don't know if that has changed since written or not, but when I run `npm update` on a fresh folder that has no node_modules at all, it does install those defined in the "devDependencies" section of package.json, without supplying a `--dev` flag. – Ken Lyon Oct 29 '18 at 19:26
  • And what about `dist-tag`s? – Jack Lu Feb 24 '21 at 07:15
  • by "already installed" you mean dependency is already in node-modules or being in package-lock.json qualifies as "already installed"? – hipokito Feb 17 '22 at 13:04
  • 1
    Looking at the current `npm` versions (8 and 9), the "update ignores dev versions if you don't use the `--dev`" flag is no longer true. Instead, it has the `--omit` flag. If that is not set explicitly, npm will check the `NODE_ENV` environment variable and if that is set to `production` it will omit the dev dependencies. Otherwise it will update *all* dependencies. – chiborg Nov 29 '22 at 10:41
110

npm install installs all modules that are listed on package.json file and their dependencies.

npm update updates all packages in the node_modules directory and their dependencies.

npm install express installs only the express module and its dependencies.

npm update express updates express module (starting with npm@2.x, it doesn't update its dependencies).

So updates are for when you already have the module and wish to get the new version.

Dan
  • 55,715
  • 40
  • 116
  • 154
saeed
  • 3,861
  • 3
  • 25
  • 23
  • 7
    if you don't specify a particular version in a package.json file, npm install will get the latest version of a module. So this a kind of an update. – saeed Sep 18 '12 at 20:44
  • 17
    So what should I use, `npm install` or `npm update`? Or, in other words, I am now using `npm install` and it seems to do the updating as well, is there any reason why should I ever use `npm update`? – Borek Bernard Sep 18 '12 at 21:58
  • If you don't specify a version for you modules you can use keep using npm install to do updates. But generally its good idea to specify a module version in your package.json file. Then you can't use npm install to do updates. – saeed Sep 18 '12 at 22:30
  • 4
    So `update` will always update to the latest version, regardless of package.json, while `install` will respect the version given in package.json? – Borek Bernard Sep 18 '12 at 22:44
  • 1
    `update` installs (or updates to) latest version of module. `install` installs latest version of module if its not presented otherwise keeps current version. – tenphi Mar 13 '14 at 09:34
  • 15
    @Borek `npm update` will update to the latest version based on your package.json, not regardless of it. If you have "express": "3.x" and you are on version 3.1.0, it will update to the latest 3.x tag. If there is a 4.x version, it will not install the latest. – gcochard Apr 09 '14 at 21:28
  • So will **npm update** update a package in node_modules even if it is _not_ in `package.json`? – Bennett McElwee Dec 05 '16 at 01:34
  • npm update also install the missing files with latest version, in case you have deleted the node_module folder for some reason, npm update will work like npm install too according to your package.json – R K Sharma Jan 18 '18 at 07:02
  • 1
    @BennettMcElwee no, `package.json` is the main source of truth for what packages and versions should be installed; either `npm install` and `update` will honour that file. Based on this, packages will be downloaded into `node_modules`. And **if** a `package-lock.json` is present, `install` will ensure the precise versions from that `-lock` will be reinstalled (this ensure multiple machines have the same exact deps); while `update` will update `node_modules` and `package-lock.json` according to the *semver* boundaries defined into `package.json`. No other magic based on `node_modules` content. – Kamafeather May 09 '19 at 09:34
51

In most cases, this will install the latest version of the module published on npm.

npm install express --save

or better to upgrade module to latest version use:

npm install express@latest --save --force

--save: Package will appear in your dependencies.

More info: npm-install

jmav
  • 3,119
  • 4
  • 27
  • 27
16

npm update: install and update with latest node modules which are in package.json

npm install: install node modules which are defined in package.json(without update)

DSK
  • 492
  • 5
  • 13
  • Using npm version 6.9.0 I observe the following behavior: `npm update` will omit a large number of dependencies in `package-lock.json`. To have all required packages available and `package-lock.json` to be correct, I always have to execute `npm install` right after `npm update`. – Manfred Apr 23 '19 at 03:24
12

Many distinctions have already been mentioned. Here is one more:

Running npm install at the top of your source directory will run various scripts: prepublish, preinstall, install, postinstall. Depending on what these scripts do, a npm install may do considerably more work than just installing dependencies.

I've just had a use case where prepublish would call make and the Makefile was designed to fetch dependencies if the package.json got updated. Calling npm install from within the Makefile would have lead to an infinite recursion, while calling npm update worked just fine, installing all dependencies so that the build could proceed even if make was called directly.

MvG
  • 57,380
  • 22
  • 148
  • 276
  • 1
    One implication is that if you updated, for instance, your `redis` module, and `other_module` requires an older version of `redis`, `npm install other_module` will guarantee that `other_module` will use the older version. It may add `other_module/node_modules/redis` if necessary. – jlukanta Apr 06 '16 at 19:26
1

npm update also installs the latest version of a package regardless of the checksum saved in package-lock.json. When depending on private repos the saved checksum can break so that npm install throws a mismatch error. npm update will ignore the checksum and install the latest version specified in package.json.

The error can look something like this:

npm WARN tarball tarball data for repo@git+ssh://git@github.com/company/repo.git#b2d8280dfb292c13c614352adra910f298a2a771 (sha512-36mxm1NMCHisdfsdfsdfsdsdf3NtFvwpzpjCEZfQTXmoi04B3qVrsTs1tnsdsdfsdfZNIK8lbEGVRVKcDX5u9pY7B==) seems to be corrupted. Trying again.
npm ERR! code EINTEGRITY
JohanR
  • 103
  • 2
  • 7