npm ci: Clean, Reproducible Installs
npm ci is the deterministic install built for automation.
Unlike npm install, npm ci never edits the lockfile and fails if package.json and the lockfile disagree, so builds are reproducible.
How it differs from npm install
- Requires an existing
package-lock.json - Deletes
node_modulesbefore installing - Never writes to the lockfile
- Fails on lockfile/package.json mismatch
Example in CI
Standard CI install with caching upstream.
shell
npm ci --no-audit --no-fundIn CI
Use npm ci for every CI job. Cache ~/.npm (not node_modules) keyed on the lockfile hash for speed. Managed runners like Latchkey keep a warm npm cache to make this faster.
Key takeaways
npm ciis deterministic and lockfile-strict.- It wipes node_modules first.
- Cache
~/.npm, notnode_modules.
Related guides
npm install: Flags That Matter in CInpm install resolves and installs dependencies and can edit the lockfile. Learn the flags that make it safe a…
npm cache clean and verifyManage the npm cache in CI: clean a corrupt cache, verify integrity, and understand why a forced clean is rar…
npm audit: Scan Dependencies in CIUse npm audit in CI to find known vulnerabilities in your dependency tree, control severity thresholds, and a…