How to Enforce Lockfile Integrity in CI
npm ci installs strictly from the lockfile and fails if it drifts, so builds are reproducible and cannot silently pull new versions.
Use npm ci (or pnpm install --frozen-lockfile, yarn install --immutable) in CI. These modes refuse to modify the lockfile: any mismatch between manifest and lockfile aborts the build, so nobody sneaks an unpinned dependency past review.
Steps
- Commit the lockfile and treat it as reviewed source.
- Replace
npm installwithnpm ciin every CI job. - Use the frozen/immutable flag for pnpm or yarn.
Workflow
.github/workflows/ci.yml
steps:
- uses: actions/checkout@v4
- uses: actions/setup-node@v4
with:
node-version: '20'
# npm: strict, lockfile-only install
- run: npm ci
# pnpm alternative:
# - run: pnpm install --frozen-lockfile
# yarn alternative:
# - run: yarn install --immutableGotchas
npm cifails if the lockfile is out of sync withpackage.json, which is the intended safety net.- Never run
npm installin CI; it can rewrite the lockfile and pull unreviewed versions.
Related guides
How to Protect Against Dependency Confusion in CIDefend CI builds against dependency confusion by scoping internal packages and pinning the registry, so a pub…
How to Verify Checksums for Downloaded Tools in CIVerify the SHA-256 checksum of any binary or archive you download in CI with sha256sum -c before executing it…