We had some problems with our pipelines/actions lately, which could easily be resolved by using
npm ci instead of
npm install to update and install your dependencies.
npm ci to only install your dependencies.
npm ci in your pipelines/actions, never
Personally, I do have a strong PHP background and am using composer as PHP’s Package dependency manager on a daily basis.
One of the first things you would learn about composer, is the difference between the install and update command:
composer update will read your composer.json, update all dependencies, write those in your composer.lock file and install them afterwards.
In case you only want to install your packages as locked in your composer.lock file, use
composer install instead. This will ensure, that your production environment uses the same dependency versions.
That does make sense, right? This is what we want to use in our pipelines or actions (depending which kind of CI/CD you are using). This does make sure to not auto-update dependencies when deploying. Maybe some updated ones might break something.
Do we agree, that we want to update dependencies locally, lock those dependencies in our lock-file and only want to install those dependencies as we did lock them?
This does avoid any auto-update which might break something in you application. That’s the exact reason,
composer install is being widely used in all production pipelines that I have seen.
This is the key element to understand! Those commands are not the same. Let me explain:
npm install will update your dependencies before installing. This isn’t logical at all when you have a PHP background, but it’s important to understand and you need to deal with it.
npm install or
npm update are nearly the same and will update your
package-lock.json, which is what you want to avoid in production.
If you want the same functionality as
composer install, use
npm ci will parse your
package-lock.json, won’t do any updates and install those packages.
This is exactly the same as using
composer install in the PHP world.
If you do use any kind of Pipelines or Actions, make sure to use
npm ci, to avoid any problems.
This will avoid merge conflicts. Just in case: Yes, you should version control your package-lock.json file, so every developer working with your project will use the same dependencies as you do and as your production environment does.
Besides this and other occurring problems, it will make your pipelines and actions faster, as
npm ci will be finished in less time than
I hope this was helpful.
Cover image by https://unsplash.com/@romanenko29061983