Understanding the Differences Between npm install and npm ci

What is package.json?

package.json is a JSON file that manages the dependencies of npm packages used in a project. There are several ways to specify package versions in it. For example:

{
  "hoge": "^10.0.0",
  "huga": "10.0.0"
}

Here, ^10.0.0 specifies any version that is 10.0.0 or higher, but the major version (the first number in major.minor.patch) will not be updated. On the other hand, 10.0.0 strictly refers to version 10.0.0.

Even if you fix package versions in package.json, it doesn't necessarily mean that the versions of dependencies defined in those packages’ package.json files are also fixed. So, you need to be cautious.

What is package-lock.json?

Introduced in npm version 5.0.0 and later, package-lock.json is a JSON file automatically generated when running npm install.
It provides a precise and concrete list of packages listed in package.json, including version numbers and their dependency trees, accurately recorded.

The Difference Between npm install and npm ci

npm install

Installs packages based on the dependencies specified in package.json. During this process, package-lock.json is updated. Initially, it wasn't designed to overwrite package-lock.json, but this behavior was changed to prevent discrepancies when additional packages are installed.

npm ci

Installs packages strictly based on package-lock.json. It does not resolve dependencies but will throw an error if there is a mismatch between package.json and package-lock.json. Additionally, it deletes the /node_modules directory before installation, making it suitable for a clean installation.

So, Which One Should We Use?

I think it's better to use npm ci right after cloning a project. Since it installs the exact package versions specified in package-lock.json, it ensures consistency across the development environment of team members. Going forward, I plan to use npm ci whenever possible.