Given a project where the package-lock.json is managed in source control with the goal that all developers on the team get exactly the same dependencies.
From the documentation of npm I think developers should use npm ci to set up their development environment and probably also later when dependencies are updated.
However the instructions I see in typical npm projects is still to use npm install.
Is there a reason developers should use npm install instead of npm ci? Does npm ci have disadvantages in this scenario?
I understand that npm ci does delete the whole node_modules and therefore potentially re-download some dependencies that were already present.
But with npm install I had regularly the case that an npm install is actually changing the package-lock.json (see links below), which is definitely not what is expected in a traditional project setup, where the main goal is that all developers get the same environment.
Therefore I would like to recommend to use npm ci.
Examples of "unexpected" behavior of npm install:
- Why does "npm install" rewrite package-lock.json?
- https://github.com/npm/npm/issues/17722
- https://npm.community/t/package-lock-json-keeps-changing-between-platforms-and-runs/1129/3
- https://github.com/npm/npm/issues/20434
- https://npm.community/t/package-lock-json-changes-from-one-npm-install-to-the-next/1454
You should use
npm ci(clean install) whenever you want a reproducible environment. You are right: the dev team should use it most of the time.Use
npm installonly when they modify the packages or are ready to upgrade dependencies (one of them does it and fixes conflicts; after the commit ofpackage.jsonANDpackage-lock.json, the others keep doingnpm ci).Please, see my answer explaining the uses of each tool.