23

I'm looking for an equivalent for yarn's --pure-lockfile flag.

This flag is useful when installing dependencies in CI, when you want it to read your lockfile but not modify it.

Does npm v5 have an equivalent?

Yves M.
  • 29,855
  • 23
  • 108
  • 144
callum
  • 34,206
  • 35
  • 106
  • 163

2 Answers2

27

npm 5.7 introduced the npm ci subcommand:

the main differences between using npm install and npm ci are:

  • The project must have an existing package-lock.json or npm-shrinkwrap.json.
  • If dependencies in the package lock do not match those in package.json, npm ci will exit with an error, instead of updating the package lock.
  • npm ci can only install entire projects at a time: individual dependencies cannot be added with this command.
  • If a node_modules is already present, it will be automatically removed before npm ci begins its install.
  • It will never write to package.json or any of the package-locks: installs are essentially frozen.
Community
  • 1
  • 1
Tamlyn
  • 22,122
  • 12
  • 111
  • 127
  • Personally i hate the fact that `npm ci` removes the node_modules folder, as this kills off any form of caching for CI-Pipelines and thereby slows pipelines. IMHO it creates a lot of unnecessary load on the npm infrastructure and waiting times on our side, but it's the best we get. – Salz Jun 15 '22 at 08:13
  • You can cache the `.npm` cache folder, see https://stackoverflow.com/a/60355056/132208 – Tamlyn Jun 15 '22 at 16:48
-3

this is how I did in my dockerfile

RUN npm install --pure-lockfile

it should work perfect.

Eddie Smag
  • 3
  • 3
  • 1
    I've looked and found no documentation for anything called `--pure-lockfile` in npm. I believe this flag is ignored. – Nateowami Oct 18 '19 at 22:04