Syed Jafer K

Its all about Trade-Offs

How npm Install and npm CI works ?

Prerequisite:

  1. https://parottasalna.wordpress.com/2024/06/12/contents-of-package-json-package-lock-json/

How does npm install work?

So far we have seen the functionalities of two files package.json and package-lock.json, and also what each of those files contains. Now let’s see how this files is been used with npm install.

Whenever someone clones a repository and does the npm install command and if your project has both a package.json and a package-lock.json and you run npm install then the dependencies would get installed using package-lock.json and not package.json.

but if there are some discrepancies (which will discuss below) between the package-lock.json and the package.json and you run npm install, then npm would use the package.json file to update the package-lock.json and you might end up having a different version than what you initially installed.

Let’s look at an example:

Let’s consider a package called ‘express’ and we can install it like npm install express. So in your folder, you can see those 2 files package.json and package-lock.json.

Let’s see the versions of express in both the files,

It’s 4.18.1, Now we can change the minor version in the package.json file from 18 to 17.

Then we can delete the node_modules folder.

So now, we can install the packages using npm install. Let’s see whether we are having the version mentioned in package-lock.json or package.json.

npm install

From the above image, we can see that the version value in package-lock.json is maintained. So package-lock.json is having higher precedence.

But, we can see another scenario, We can change the version value in package-lock.json from 4.18.1 to 5.0.0 and follow the same process again.

Let’s delete the node_modules and reinstall using npm install.

Now if we are checking those files,

Now we can see the precedence is been moved to package.json.

To know more about the working of npm install, please refer to their github code, https://github.com/npm/cli/blob/latest/lib/commands/install.js

How does npm ci work?

npm ci (or clean install) runs only if the project has a lock file (package-lock.json) and if there's some discrepancy between the lock file (package-lock.json) and package.json, then npm ci errors out, so it doesn't update the lock file like npm install.

npm ci simply removes the node_modules directory and then installs the dependencies and hence the name clean install.

So, npm ci is no different than npm i if there’s no node_modules directory present and there are no discrepancies between package-lock.json and package.json.

So, using npm install is okay if you’ve cloned a repo because it respects the lock file, however, in CI environments you should consider using npm ci because it does a clean install.