I work at a largish project with ~10 devs. We have package.json and the resulting package-lock.json committed, and our ci pipeline does npm ci to restore packages according to package-lock.json.
Currently, the developers are instructed to clone the repo and run npm install. However, I found that npm install will install different versions that match the version spec in package.json - for example, ^5.0.5 might cause npm install to install version 5.1.1, or to keep 5.0.5 if it was already in there.
So, I want to change the instructions for developers to:
- (common case) If you don't want to change packages or package versions, only use
npm ci - If you do, use
npm installand/ornpm update(possibly with--save-dev), test locally, and then commit the resultingpackage.jsonandpacakge-lock.json.
Are these instructions sound? Am I missing something?
CodePudding user response:
Per documentation "this command is similar to npm install, except it's meant to be used in automated environments such as test platforms, continuous integration, and deployment -- or any situation where you want to make sure you're doing a clean install of your dependencies." (emphasis mine).
I prefer using it instead of "install", because it gives some insurances about state of node_modules folder.
- It will remove modules folder, if it is present, which will remove everything that is not in lock file, but may accidentally be present from previous install.
- It will throw an error if someone changed dependencies by hand and didn't updated lock file.
- It will be faster than install, because it doesn't need to build new dependency tree, and it will preserve versions of dependencies which were installed by tag (like
latestornext) or by wild card (*). And sometimes this is a very good thing - recent colors incident is a good illustration.
Basically it means that me and all my colleagues will get identical node_modules folder contents. One of the advantages of Yarn in early days were reproducible installs with lock-file, and it is considered a good practice.