Home > Net >  Is using npm-ci by developers a good NPM working process?
Is using npm-ci by developers a good NPM working process?

Time:04-03

I work at a largish project with ~10 devs. We have package.json and the resulting package-lock.json committed, and our ci pipeline does npm ci to restore packages according to package-lock.json.

Currently, the developers are instructed to clone the repo and run npm install. However, I found that npm install will install different versions that match the version spec in package.json - for example, ^5.0.5 might cause npm install to install version 5.1.1, or to keep 5.0.5 if it was already in there.

So, I want to change the instructions for developers to:

  • (common case) If you don't want to change packages or package versions, only use npm ci
  • If you do, use npm install and/or npm update (possibly with --save-dev), test locally, and then commit the resulting package.json and pacakge-lock.json.

Are these instructions sound? Am I missing something?

CodePudding user response:

Per documentation "this command is similar to npm install, except it's meant to be used in automated environments such as test platforms, continuous integration, and deployment -- or any situation where you want to make sure you're doing a clean install of your dependencies." (emphasis mine).

I prefer using it instead of "install", because it gives some insurances about state of node_modules folder.

  • It will remove modules folder, if it is present, which will remove everything that is not in lock file, but may accidentally be present from previous install.
  • It will throw an error if someone changed dependencies by hand and didn't updated lock file.
  • It will be faster than install, because it doesn't need to build new dependency tree, and it will preserve versions of dependencies which were installed by tag (like latest or next) or by wild card (*). And sometimes this is a very good thing - recent colors incident is a good illustration.

Basically it means that me and all my colleagues will get identical node_modules folder contents. One of the advantages of Yarn in early days were reproducible installs with lock-file, and it is considered a good practice.

  • Related