40

I'm using npm as part of me building the production docker image. I want to make sure the package-lock.json doesn't change and matches.

BuZZ-dEE
  • 6,075
  • 12
  • 66
  • 96
user972014
  • 3,296
  • 6
  • 49
  • 89

1 Answers1

52

You can use npm ci.

npm ci bypasses a package’s package.json to install modules from a package’s lockfile. This ensures reproducible builds—you are getting exactly what you expect on every install.

https://blog.npmjs.org/post/171556855892/introducing-npm-ci-for-faster-more-reliable

Andrei Tătar
  • 7,872
  • 19
  • 37
  • 2
    That doesn't ensure that it matches the `package.json` though? – VoxPelli Apr 09 '21 at 13:07
  • 2
    @VoxPelli the [docs](https://docs.npmjs.com/cli/v8/commands/npm-ci) state that "if dependencies in the package lock do not match those in package.json, `npm ci` will exit with an error, instead of updating the package lock." – bfdes Dec 10 '21 at 00:55
  • 5
    sadly `npm ci` will delete node_modules, so it has a quite annoying penalty for ci pipelines by removing the cache. – Salz Jun 15 '22 at 08:05
  • 1
    @Salz maybe this helps: https://stackoverflow.com/a/60355056/3016654 – Andrei Tătar Jun 15 '22 at 08:49
  • @AndreiTătar thanks, should at least prevent the redownload. – Salz Jun 22 '22 at 17:05