Use npm ci instead of npm install

Question

Use npm ci instead of npm install

Closed this issue 2 years ago · 2 comments

npm ci always just exactly installs what's in package_lock.json and thus is safer than npm install that can use different versions when executed at different times. Also, npm ci won't update package_lock.json unexpectedly. Use npm install manually when installing a new package. While npm ci is slower with incremental builds this doesn't matter because it'll be run only the first time (when it's as fast as npm install) and when packages change.

So, we should switch over to it. However, we need to wait for Node v16 so any version incompatibilities with node-gyp are resolved which currently prevent us from switching, see nodejs/node-gyp#2272 (and its linked issues: nodejs/node-gyp#2272 (comment)).

This is the necessary change: 473072e

Answer 1 · 2021-11-04T14:48:47.000Z

Now PNPM looks like a better choice.

Answer 2 · 2022-09-17T18:26:39.000Z

We use PNPM is available.