TechQA.

Did "npm install" become deterministic in npm 7?

780 views Asked by At

Here https://github.blog/2021-02-02-npm-7-is-now-generally-available/ it's said:

The lockfile v2 unlocks the ability to do deterministic and reproducible builds to produce a package tree.

But I wonder is it the default behavior now for npm 7? That is, if there is a package-lock.json will npm install update top-most packages with imprecise versions like ^1.0.0 from package.json or it will always work the same way as yarn does?

If npm install is deterministic now, will I be right if I say that npm ci is mostly an equivalent of

rm -rf node_modules && npm install

with some additional checks?

npm npm-install npm-ci
Original Q&A
1

There are 1 answers

0
waleed ali On BEST ANSWER

Short Answer:

Yes!

Longer Answer:

Provided you have a package-lock.json or a yarn.lock file, both npm or yarn, respectively, do yield deterministic results.

One thing to note here is that yarn, using yarn.lock file, however, yields deterministic builds only for a specific version of yarn.

Yarn installs are guaranteed to be deterministic given a single combination of yarn.lock and Yarn version. It is possible that a different version of Yarn will result in a different tree layout on disk.

Whereas npm's algorithms allow it to yield deterministic results even for different versions of the npm because npm tree building contract is entirely specified by the package-lock.json file.

You can find a more detailed explanation of the two in this Blog

Related Questions in NPM

Related Questions in NPM-INSTALL

Related Questions in NPM-CI

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Trending Questions