npm i (dirty install) tells npm to ignore package-lock.json and instead install random versions of packages - a.k.a. Works on My Machine™.
npm ci (clean-install) is the correct command, which only installs the versions outlined in package-lock.json - Works on Your Machine Too™.
The default behavior of a dirty install exists for historical reasons, but leads to unintuitive and unexpected behavior (namely that most people believe and expect that they're getting the same versions as defined by the publisher in package-lock.json.
Now, the behavior most people actually want is npm clean-install && npm audit fix, but that also spits out scary messages - which users don't want. 🤷♂️
npm i
(dirty install) tells npm to ignorepackage-lock.json
and instead install random versions of packages - a.k.a. Works on My Machine™.npm ci
(clean-install
) is the correct command, which only installs the versions outlined inpackage-lock.json
- Works on Your Machine Too™.The default behavior of a dirty install exists for historical reasons, but leads to unintuitive and unexpected behavior (namely that most people believe and expect that they're getting the same versions as defined by the publisher in
package-lock.json
.Now, the behavior most people actually want is
npm clean-install && npm audit fix
, but that also spits out scary messages - which users don't want. 🤷♂️