NPM install VS NPM ci

TL;DR: Use npm ci in your CI/CD pipelines and npm install on your machine.

When running npm install, you may notice that the command modifies your package-lock.json file from time to time.

There are many reasons for that:

  • different versions of npm (or other package managers) may have been used to install a package, each using slightly different installation algorithms.
  • a new version of a direct semver-range package may have been published since the last time your packages were installed, and thus a newer version will be used.
  • A dependency of one of your dependencies may have published a new version, which will update even if you used pinned dependency specifiers (1.2.3 instead of ^1.2.3)
  • The registry you installed from is no longer available, or allows mutation of versions (unlike the primary npm registry), and a different version of a package exists under the same version number now.

Thus, if you are using npm install in your CI/CD pipeline, it may make your builds not reproducible.

This is why in 2018, NPM introduced the npm ci command to install the exact same package as declared in your package-lock.json file and make your builds faster and reproducible.

1 email / week to learn how to (ab)use technology for fun & profit: Programming, Hacking & Entrepreneurship.
I hate spam even more than you do. I'll never share your email, and you can unsubscribe at any time.
Tags: javascript, programming, tutorial

Want to learn Rust, Cryptography and Security? Get my book Black Hat Rust!