Given a project where the package-lock.json is managed in source control with the goal that all developers on the team get exactly the same dependencies.

From the documentation of npm I think developers should use npm ci to set up their development environment and probably also later when dependencies are updated.

However the instructions I see in typical npm projects is still to use npm install.

Is there a reason developers should use npm install instead of npm ci? Does npm ci have disadvantages in this scenario?

I understand that npm ci does delete the whole node_modules and therefore potentially re-download some dependencies that were already present.

But with npm install I had regularly the case that an npm install is actually changing the package-lock.json (see links below), which is definitely not what is expected in a traditional project setup, where the main goal is that all developers get the same environment.
Therefore I would like to remend to use npm ci.

Examples of "unexpected" behavior of npm install:

• Why does "npm install" rewrite package-lock.json?
• /t/package-lock-json-keeps-changing-between-platforms-and-runs/1129/3
• /t/package-lock-json-changes-from-one-npm-install-to-the-next/1454

Given a project where the package-lock.json is managed in source control with the goal that all developers on the team get exactly the same dependencies.

From the documentation of npm I think developers should use npm ci to set up their development environment and probably also later when dependencies are updated.

However the instructions I see in typical npm projects is still to use npm install.

Is there a reason developers should use npm install instead of npm ci? Does npm ci have disadvantages in this scenario?

I understand that npm ci does delete the whole node_modules and therefore potentially re-download some dependencies that were already present.

But with npm install I had regularly the case that an npm install is actually changing the package-lock.json (see links below), which is definitely not what is expected in a traditional project setup, where the main goal is that all developers get the same environment.
Therefore I would like to remend to use npm ci.

Examples of "unexpected" behavior of npm install:

• Why does "npm install" rewrite package-lock.json?
• https://github./npm/npm/issues/17722
• https://npm.munity/t/package-lock-json-keeps-changing-between-platforms-and-runs/1129/3
• https://github./npm/npm/issues/20434
• https://npm.munity/t/package-lock-json-changes-from-one-npm-install-to-the-next/1454

• javascript
• npm
• npm-ci

Share Improve this question Follow edited Jan 1, 2019 at 20:51 RobC 25.1k2121 gold badges8484 silver badges8686 bronze badges asked Nov 25, 2018 at 15:31 jbandijbandi 18.2k1111 gold badges7171 silver badges8484 bronze badges 5

• 1 It's a good thing that the package lock is updated with every install IMO - think about bugfixes and security updates of dependencies you would be missing if you were to freeze the exact same version forever – Patrick Hund Commented Nov 25, 2018 at 16:13
• 8 @PatrickHund Yes. But this should be in a controlled manner not "accidentally" by running npm install at a certain point in time. In a "traditional" software project it is essential that all team members have exactly the same environment. Else we get non-deterministic behavior. That is the main point of having a lock file. – jbandi Commented Nov 25, 2018 at 16:30
• 2 jbandi if you are using a recent npm, (after 5.4.2) you should not see package-lock changes. If you are seeing some changes that could only be because of different package-lock formats used in different npm versions. Or because of differences in OSs. (some dependencies are optional in some OSs) The versions of dependencies should not update. – Aruna Herath Commented Nov 26, 2018 at 5:38
• 2 @PatrickHund Its a bad thing. The whole point of lock files is to avoid that. We do have to update lock files time to time. Like on a major release. But if every npm i updates the lock file we might as well not use them at all. – Aruna Herath Commented Nov 26, 2018 at 5:40
• 1 @ArunaHerath Thanks! So npm install has improved ... but is there a reason NOT to use npm ci? If you write this in an answer, I will accept it ... – jbandi Commented Nov 26, 2018 at 15:37

Add a ment  | 

2 Answers 2

Sorted by: Reset to default 1

You should use npm ci (clean install) whenever you want a reproducible environment. You are right: the dev team should use it most of the time.

Use npm install only when they modify the packages or are ready to upgrade dependencies (one of them does it and fixes conflicts; after the mit of package.json AND package-lock.json, the others keep doing npm ci).

Please, see my answer explaining the uses of each tool.

There isn't a reason to use npm ci instead of npm i when building a repo locally or updating dependencies (because it uses the npm cache, it's roughly the same speed as npm i), but there are the following situations where npm i might be preferred:

1. You actually want to receive minor/patch updates of your direct dependencies automatically;
2. if you've made manual changes to versions in package.json and want them to trump the versions in package-lock.json.