I am a bit new to this whole CI/CD world but whenever I see the config.yml files there in any node js project there is always npm ci instead of npm install. I have read some things from docs but it's still unclear to me. Can someone please explain in clear and concise language?
Asked
Active
Viewed 2,256 times
3
Mayank_MP5
- 153
- 1
- 8
1 Answers
10
npm install generates the package-lock.json for you. The file contains the exact version numbers of all dependencies that you installed as well as the version number of transitive dependencies, all bassed on what you defined in package.json. Note however that in your package.json you can define your version starting with ^ or ~, suggesting that you want to install the latest patch or minor version of a certain dependency. As a result, every time you run npm install your package-lock.json might end up containing slightly newer versions of your packages if available.
npm ci on the other hand doesn't not generate package-lock.json file. Quite the opposite. It requires your package-lock.json to already be there and it installs exactly the versions that are listed there. This is the command that you want to run on your CI/CD pipeline. This way you can ensure that your pipeline uses exactly the same dependencies you last used locally and can confirm that they worked for you.
Kamil Janowski
- 1,872
- 2
- 21
- 43
-
Thanks for such a wonderful and crystal clear explaination – Mayank_MP5 Oct 07 '21 at 11:07
-
package-lock.json also contains versions starting from either ~ or ^. Does that mean every time you run npm ci, a slightly newer versions of the packages might be included? – Stacky Jan 26 '22 at 23:08
-
if package-lock.json does not exist, will then npm ci look for npm-shrinkwrap.json file? – JN_newbie Jun 07 '22 at 11:10
-
but the docs say about `npm i`: "This command installs a package and any packages that it depends on. If the package has a package-lock, or an npm shrinkwrap file, or a yarn lock file, the installation of dependencies will be driven by that". Does this mean that `package-lock.json` will not be updated after `npm i`, because the deps in there are exact? – Sviatozar Petrenko Oct 24 '22 at 11:37