Why to use »npm ci« instead of »npm install« Cover Image

Why to use »npm ci« instead of »npm install«

We had some problems with our pipelines/actions lately, which could easily be resolved by using npm ci instead of npm install.

The short version

Use npm install to update and install your dependencies. Use npm ci to only install your dependencies.

Always use npm ci in your pipelines/actions, never npm install.

Don’t compare it with composer

Personally, I do have a strong PHP background and am using composer as PHP’s Package dependency manager on a daily basis.

One of the first things you would learn about composer, is the difference between the install and update command: composer update will read your composer.json, update all dependencies, write those in your composer.lock file and install them afterwards.

In case you only want to install your packages as locked in your composer.lock file, use composer install instead. This will ensure, that your production environment uses the same dependency versions.

That does make sense, right? This is what we want to use in our pipelines or actions (depending which kind of CI/CD you are using). This does make sure to not auto-update dependencies when deploying. Maybe some updated ones might break something.

Let’s transfer this knowledge to npm

Do we agree, that we want to update dependencies locally, lock those dependencies in our lock-file and only want to install those dependencies as we did lock them?

This does avoid any auto-update which might break something in you application. That’s the exact reason, composer install is being widely used in all production pipelines that I have seen.

npm install does work in a different way than composer install

This is the key element to understand! Those commands are not the same. Let me explain:

Unlike composer install, npm install will update your dependencies before installing. This isn’t logical at all when you have a PHP background, but it’s important to understand and you need to deal with it.

Running npm install or npm update are nearly the same and will update your package-lock.json, which is what you want to avoid in production.

If you want the same functionality as composer install, use npm ci.

Use npm ci if you don’t want to update

npm ci will parse your package-lock.json, won’t do any updates and install those packages.

This is exactly the same as using composer install in the PHP world.

Please update your Pipeline or Actions

If you do use any kind of Pipelines or Actions, make sure to use npm ci, to avoid any problems.

This will avoid merge conflicts. Just in case: Yes, you should version control your package-lock.json file, so every developer working with your project will use the same dependencies as you do and as your production environment does.

Besides this and other occurring problems, it will make your pipelines and actions faster, as npm ci will be finished in less time than install.

I hope this was helpful.


Cover image by https://unsplash.com/@romanenko29061983

Malte Riechmann

New git guidelines: We have switched to Conventional Commits

Giving teams as much autonomy as possible is a good idea, but having some company-wide guidelines can...

Discover full article

Cleo Pelte

One year of coding – recommendations for beginners from a beginner

This month one year ago I started my three year long journey as a web development trainee/apprentice...

Discover full article

Malte Riechmann

Our tech stack in 2022

Preface Reading about our tech stack from one year ago gives me confidence for the future....

Discover full article
View all articles

Right on the intersection of communication, marketing and digital product development »visuellverstehen« offers innovative solutions and concepts for all areas of corporate communication. No matter if you are a mid tier business, an established brand, a cultural institution, an industrial corporation or a successful trading company we advice and accompany you holistically and honestly.