Comments (9)
npm ci
requires a package.json, which doesn't exist for globally installed packages.
Also, npm install
and npm ci
are mutually exclusive, you use one or the other.
from cli.
npm ci
requires a package.json
Per the docs here: https://docs.npmjs.com/cli/v10/commands/npm-ci
This command is similar to npm install, except it's meant to be used in automated environments such as test platforms, continuous integration, and deployment -- or any situation where you want to make sure you're doing a clean install of your dependencies.
This is exactly what I want to use npm ci
for
The project must have an existing package-lock.json or npm-shrinkwrap.json.
If dependencies in the package lock do not match those in package.json, npm ci will exit with an error, instead of updating the package lock.
Makes sense; my project has both a package.json
and package-lock.json
to inform the global installation of my CLI tool. Notably Yarn does the right thing here; it globally installs my package using yarn.lock
— it's not clear why npm ci
cannot do this. Instead the behavior forces us to accept that npm install
may rewrite my package-lock.json
during continuous integration of my globally installed CLI tool. This isn't really acceptable.
Also thanks for pointing out the mistake in my sample; the command I want to run is npm ci
not npm ci install
from cli.
Best practice is to not install anything globally, especially in a CI environment. Instead, you install it locally and invoke it with npx
.
The entire purpose of npm ci
is to delete and reinstall local node_modules. It's just conceptually nonsense to use it with -g
.
from cli.
@ljharb are you a maintainer of npm
or npm ci
?
from cli.
@klebba nope! but that doesn't make any of my statements less true.
from cli.
I see. Well, you know, that's just like uh, your opinion, man.
As long as npm install --global
is a supported feature it is rather bizarre to randomly admonish issue reporters about "best practices" and "nonsense" use cases.
from cli.
npm install -g
is supported. npm ci -g
is not, by design, since its inception.
Teaching best practices is a gift - it's trying to help you.
from cli.
npm ci
installs a package as a dependency of the global namespace. It is fundamentally different than installing the dependencies for a package. There is no global package.json, so there is no ci
that could be done at that level.
For cli tools in which you wan to dictate exactly what is installed when your package is installed (which npm itself does) you want to bundle your dependencies. Please note that yarn et al don't support that. You may also be thinking of a shrinkwrap which does what you are describing.
from cli.
Thanks for your reply. Yarn does support what I want; I already use it like this:
yarn install ./my-cli-tool-written-in-nodejs --global --frozen-lockfile
According to npm ci
docs the command should satisfy the use case:
This command is similar to npm install, except it's meant to be used in automated environments such as test platforms, continuous integration, and deployment --
or any situation where you want to make sure you're doing a clean install of your dependencies.
The project must have an existing package-lock.json or npm-shrinkwrap.json.
Yes
If dependencies in the package lock do not match those in package.json, npm ci will exit with an error, instead of updating the package lock.
Yes
npm ci can only install entire projects at a time: individual dependencies cannot be added with this command.
Yes
If a node_modules is already present, it will be automatically removed before npm ci begins its install.
Yes
It will never write to package.json or any of the package-locks: installs are essentially frozen.
Yes
Thanks for pointing out npm shrinkwrap
— this does seem like what I need. In fact now it's not clear to me why I would use npm ci
instead of npm install
if I want to adhere to lockfile contents. I guess something about whether or not the lockfile is publishable?
I could update this ticket or open another with adjusted suggestions:
- Update the
npm ci
command docs to indicate thatnpm ci
is not/will never be able to install packages globally, instead refer users to adoptnpm shrinkwrap
and usenpm install
to accomplish this task. - Consider addressing / reconciling these two confusing statements:
use
npm ci
when you need to strictly adhere to the contents of your lockfile defined inpackage-lock.json
ORnpm-shrinkwrap.json
for a local install
use
npm install
when you need to strictly adhere to the contents of your lockfile defined ONLY innpm-shrinkwrap.json
for a global install
As I write this I also wonder: why can't I use npm install
to strictly adhere to my package-lock.json
(e.g. frozen install)?
from cli.
Related Issues (20)
- [BUG] NPM 10.6.0 outputs new lines when running npx HOT 5
- Bundled dependencies for [email protected] have versions of libnpmexec, libnpmpack, libnpmversion which do not match package.json HOT 1
- [BUG] [email protected] changes npx output HOT 2
- [BUG] npm 10.6.0 doesn't log anything while npm install HOT 10
- [BUG] "install -g" as user warns to late HOT 2
- [BUG] "npm uninstall" do not remove all files HOT 7
- [BUG] npx in version 10.6.0 outputs info before actual command result HOT 1
- [BUG] file are unexpectedly ignored from being published HOT 2
- [DOCS] npm search --long flag has no effect HOT 5
- [BUG] 10.6.0 regresses stdout pollution on npx/npm exec HOT 5
- [BUG] `npm explore` now contains additional output which was not there before HOT 1
- [BUG] When invoked from PowerShell prompt on Windows, positional arguments are not properly passed to NPM scripts HOT 1
- [BUG] npm audit does not show the package from package.json that depends on the vulnerable package
- Runtinme Error loading
- [BUG] npm audit consistently not finding any vulnerabilities HOT 6
- [BUG] npm audit stopped audit packages HOT 1
- [BUG] Npm Search is failing on version 10.6.0 - Cannot read properties of undefined (reading 'username') HOT 3
- [BUG NPM] Error when installing npm modules HOT 2
- [BUG] Scoped packages attempted to download from http and not https url as defined in npmrc file HOT 5
- [BUG] `npm.ps1` introduced two regressions
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from cli.