Skip to content
Latchkey

How to Enforce Lockfile Integrity in CI

npm ci installs strictly from the lockfile and fails if it drifts, so builds are reproducible and cannot silently pull new versions.

Use npm ci (or pnpm install --frozen-lockfile, yarn install --immutable) in CI. These modes refuse to modify the lockfile: any mismatch between manifest and lockfile aborts the build, so nobody sneaks an unpinned dependency past review.

Steps

  • Commit the lockfile and treat it as reviewed source.
  • Replace npm install with npm ci in every CI job.
  • Use the frozen/immutable flag for pnpm or yarn.

Workflow

.github/workflows/ci.yml
steps:
  - uses: actions/checkout@v4
  - uses: actions/setup-node@v4
    with:
      node-version: '20'
  # npm: strict, lockfile-only install
  - run: npm ci
  # pnpm alternative:
  # - run: pnpm install --frozen-lockfile
  # yarn alternative:
  # - run: yarn install --immutable

Gotchas

  • npm ci fails if the lockfile is out of sync with package.json, which is the intended safety net.
  • Never run npm install in CI; it can rewrite the lockfile and pull unreviewed versions.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →