Why to use »npm ci« instead of »npm install«
We had some problems with our pipelines/actions lately, which could easily be resolved by using npm ci instead of npm install.
The short version
Use npm install to update and install your dependencies.
Use npm ci to only install your dependencies.
Always use npm ci in your pipelines/actions, never npm install.
Don’t compare it with composer
Personally, I do have a strong PHP background and am using composer as PHP’s Package dependency manager on a daily basis.
One of the first things you would learn about composer, is the difference between the install and update command:
composer update will read your composer.json, update all dependencies, write those in your composer.lock file and install them afterwards.
In case you only want to install your packages as locked in your composer.lock file, use composer install instead. This will ensure, that your production environment uses the same dependency versions.
That does make sense, right? This is what we want to use in our pipelines or actions (depending which kind of CI/CD you are using). This does make sure to not auto-update dependencies when deploying. Maybe some updated ones might break something.
Let’s transfer this knowledge to npm
Do we agree, that we want to update dependencies locally, lock those dependencies in our lock-file and only want to install those dependencies as we did lock them?
This does avoid any auto-update which might break something in you application. That’s the exact reason, composer install is being widely used in all production pipelines that I have seen.
npm install does work in a different way than composer install
This is the key element to understand! Those commands are not the same. Let me explain:
Unlike composer install, npm install will update your dependencies before installing. This isn’t logical at all when you have a PHP background, but it’s important to understand and you need to deal with it.
Running npm install or npm update are nearly the same and will update your package-lock.json, which is what you want to avoid in production.
If you want the same functionality as composer install, use npm ci.
Use npm ci if you don’t want to update
npm ci will parse your package-lock.json, won’t do any updates and install those packages.
This is exactly the same as using composer install in the PHP world.
Please update your Pipeline or Actions
If you do use any kind of Pipelines or Actions, make sure to use npm ci, to avoid any problems.
This will avoid merge conflicts. Just in case: Yes, you should version control your package-lock.json file, so every developer working with your project will use the same dependencies as you do and as your production environment does.
Besides this and other occurring problems, it will make your pipelines and actions faster, as npm ci will be finished in less time than install.
I hope this was helpful.
Cover image by https://unsplash.com/@romanenko29061983