14

Given a project where the package-lock.json is managed in source control with the goal that all developers on the team get exactly the same dependencies.

From the documentation of npm I think developers should use npm ci to set up their development environment and probably also later when dependencies are updated.

However the instructions I see in typical npm projects is still to use npm install.

Is there a reason developers should use npm install instead of npm ci? Does npm ci have disadvantages in this scenario?

I understand that npm ci does delete the whole node_modules and therefore potentially re-download some dependencies that were already present.

But with npm install I had regularly the case that an npm install is actually changing the package-lock.json (see links below), which is definitely not what is expected in a traditional project setup, where the main goal is that all developers get the same environment.
Therefore I would like to recommend to use npm ci.

Examples of "unexpected" behavior of npm install:

RobC
  • 22,977
  • 20
  • 73
  • 80
jbandi
  • 17,499
  • 9
  • 69
  • 81
  • 1
    It's a good thing that the package lock is updated with every install IMO - think about bugfixes and security updates of dependencies you would be missing if you were to freeze the exact same version forever – Patrick Hund Nov 25 '18 at 16:13
  • 8
    @PatrickHund Yes. But this should be in a controlled manner not "accidentally" by running npm install at a certain point in time. In a "traditional" software project it is essential that all team members have exactly the same environment. Else we get non-deterministic behavior. That is the main point of having a lock file. – jbandi Nov 25 '18 at 16:30
  • 2
    jbandi if you are using a recent npm, (after 5.4.2) you should not see package-lock changes. If you are seeing some changes that could only be because of different package-lock formats used in different npm versions. Or because of differences in OSs. (some dependencies are optional in some OSs) The versions of dependencies should not update. – Aruna Herath Nov 26 '18 at 05:38
  • 2
    @PatrickHund Its a bad thing. The whole point of lock files is to avoid that. We do have to update lock files time to time. Like on a major release. But if every npm i updates the lock file we might as well not use them at all. – Aruna Herath Nov 26 '18 at 05:40
  • 1
    @ArunaHerath Thanks! So `npm install` has improved ... but is there a reason *NOT* to use `npm ci`? If you write this in an answer, I will accept it ... – jbandi Nov 26 '18 at 15:37

2 Answers2

1

You should use npm ci (clean install) whenever you want a reproducible environment. You are right: the dev team should use it most of the time.

Use npm install only when they modify the packages or are ready to upgrade dependencies (one of them does it and fixes conflicts; after the commit of package.json AND package-lock.json, the others keep doing npm ci).

Please, see my answer explaining the uses of each tool.

Ictus
  • 1,435
  • 11
  • 20
0

There isn't a reason to use npm ci instead of npm i when building a repo locally or updating dependencies (because it uses the npm cache, it's roughly the same speed as npm i), but there are the following situations where npm i might be preferred:

  1. You actually want to receive minor/patch updates of your direct dependencies automatically;
  2. if you've made manual changes to versions in package.json and want them to trump the versions in package-lock.json.
Andrew
  • 3,825
  • 4
  • 30
  • 44
  • 2
    If you are a solo developer, it is probably OK. If not, `npm ci` prevents a lot of "it works on my computer" weird issues. On the other hand, `npm ci` cannot update individual dependencies; that is the function of `npm install`. – Ictus Aug 21 '22 at 11:22