I work at a largish project with ~10 devs. We have package.json
and the resulting package-lock.json
committed, and our ci pipeline does npm ci
to restore packages according to package-lock.json
.
Currently, the developers are instructed to clone the repo and run npm install
. However, I found that npm install
will install different versions that match the version spec in package.json
- for example, ^5.0.5
might cause npm install
to install version 5.1.1
, or to keep 5.0.5
if it was already in there.
So, I want to change the instructions for developers to:
- (common case) If you don't want to change packages or package versions, only use
npm ci
- If you do, use
npm install
and/ornpm update
(possibly with--save-dev
), test locally, and then commit the resultingpackage.json
andpacakge-lock.json
.
Are these instructions sound? Am I missing something?
CodePudding user response:
Per documentation "this command is similar to npm install
, except it's meant to be used in automated environments such as test platforms, continuous integration, and deployment -- or any situation where you want to make sure you're doing a clean install of your dependencies." (emphasis mine).
I prefer using it instead of "install", because it gives some insurances about state of node_modules folder.
- It will remove modules folder, if it is present, which will remove everything that is not in lock file, but may accidentally be present from previous install.
- It will throw an error if someone changed dependencies by hand and didn't updated lock file.
- It will be faster than install, because it doesn't need to build new dependency tree, and it will preserve versions of dependencies which were installed by tag (like
latest
ornext
) or by wild card (*
). And sometimes this is a very good thing - recent colors incident is a good illustration.
Basically it means that me and all my colleagues will get identical node_modules folder contents. One of the advantages of Yarn in early days were reproducible installs with lock-file, and it is considered a good practice.