10

Given a project where the package-lock.json is managed in source control with the goal that all developers on the team get exactly the same dependencies.

From the documentation of npm I think developers should use npm ci to set up their development environment and probably also later when dependencies are updated.

However the instructions I see in typical npm projects is still to use npm install.

Is there a reason developers should use npm install instead of npm ci? Does npm ci have disadvantages in this scenario?

I understand that npm ci does delete the whole node_modules and therefore potentially re-download some dependencies that were already present.

But with npm install I had regularly the case that an npm install is actually changing the package-lock.json (see links below), which is definitely not what is expected in a traditional project setup, where the main goal is that all developers get the same environment.
Therefore I would like to recommend to use npm ci.

Examples of "unexpected" behavior of npm install:

RobC
  • 20,007
  • 20
  • 62
  • 73
jbandi
  • 16,229
  • 8
  • 66
  • 78
  • 1
    It's a good thing that the package lock is updated with every install IMO - think about bugfixes and security updates of dependencies you would be missing if you were to freeze the exact same version forever – Patrick Hund Nov 25 '18 at 16:13
  • 7
    @PatrickHund Yes. But this should be in a controlled manner not "accidentally" by running npm install at a certain point in time. In a "traditional" software project it is essential that all team members have exactly the same environment. Else we get non-deterministic behavior. That is the main point of having a lock file. – jbandi Nov 25 '18 at 16:30
  • 2
    jbandi if you are using a recent npm, (after 5.4.2) you should not see package-lock changes. If you are seeing some changes that could only be because of different package-lock formats used in different npm versions. Or because of differences in OSs. (some dependencies are optional in some OSs) The versions of dependencies should not update. – Aruna Herath Nov 26 '18 at 05:38
  • 2
    @PatrickHund Its a bad thing. The whole point of lock files is to avoid that. We do have to update lock files time to time. Like on a major release. But if every npm i updates the lock file we might as well not use them at all. – Aruna Herath Nov 26 '18 at 05:40
  • 1
    @ArunaHerath Thanks! So `npm install` has improved ... but is there a reason *NOT* to use `npm ci`? If you write this in an answer, I will accept it ... – jbandi Nov 26 '18 at 15:37

0 Answers0