22

Why you should never use ‘npm install’ in your CI/CD pipelines

 4 years ago
source link: https://medium.com/javascript-in-plain-english/why-you-should-never-use-npm-install-in-your-ci-cd-pipelines-da0b89346d8d
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
neoserver,ios ssh client
Why you should never use ‘npm install’ in your CI/CD pipelines

Responses (2)

I don't get it. I use Azure DevOps for CI/CD. Every build starts from scratch. So this statement:
Actually, it's pretty simple. Whenever you start your CI/CD pipelines you don’t want to have any inconsistency due to non-matching package*.json files…...
Why would I want a node_modules folder on my production server? Surely, I just want the files from my ‘build’? So, I would never be using either ‘npm i’ or ‘npm ci’ in my pipeline. Maybe this is because I only have a local & production set-up. I…...

You have 2 free member-only stories left this month.

Why you should never use ‘npm install’ in your CI/CD pipelines

When to use npm ci and npm install explained in very simple terms.

Image for post
Image for post
Photo by Cookie the Pom on Unsplash

When starting a new project or cloning an existing one most people run npm install or the shorthand version npm i which is fine. But most likely you have already stumbled over a similar command called npm ci.

Often I still see the npm install command in regular CI/CD pipelines. What sounds fine at first can lead to quite some problems. The ci in the npm ci commands stand for “clean install” or if it helps you, you can also use “continuous integration”. So it's quite clear that it should be used in favor of npm install in your pipelines. But let's quickly check what the differences are before you blindly follow my advice and use npm ci in all of your pipelines.

Even though the following definitions aren’t 100% aligned with the official NPM documentation I try to explain them in super simple terms containing the most common use cases.

npm install

It’s being used for adding dependencies to your package.json and package-lock.json, thus modifying your dependencies and installing them on your machine. This is absolutely fine for development but it should for no reason ever happen in your pipelines. You don’t want to add/modify any files in your pipelines.

npm ci

This command relies solely on the dependency definitions, which are listed in the package.json and package-lock.json, and installs them. BUT it doesn’t do any modifications to your files. Also if the definitions in your two JSON files aren’t 100% aligned with each other this command throws an error which also means that a lock file has to exist. So make always sure that you add it to your VCS. Besides that, it does a “clean install”, like the name suggests, which means that any existing node_modules folder is being deleted.

Okay, but why is this important?

Actually, it's pretty simple. Whenever you start your CI/CD pipelines you don’t want to have any inconsistency due to non-matching package*.json files which might result in a different codebase than your local one. Also, you don’t want to have any side effects which could appear when you are using an already populated node_modules folder.

Just imagine what would happen if one of your developers commits only the package.json but not the package-lock.json. The pipeline wouldn’t be sure which packages to use now if the JSON files are not aligned anymore. Also, the pipeline might suddenly use some packages the developer hasn’t on his local machine and thus the typical “but it works on my machine” might occur again.

What you want in CI/CD pipelines are strongly consistent, reproducible steps that are not affected by any side effects. So it should never matter how often you run a specific pipeline. When the same parameters (optional) are provided it should always produce the same result regardless if it is linting, building, testing, or even deploying your software.

Conclusion

I hope I could show you why it's so super important to use the npm ci command in your pipelines and refer from using the “normal” npm install.

So just to summarize:

  • Use npm install when you are working on your local machine and want to install/add/modify dependencies.
  • Use npm ci when you are running on a CI/CD pipeline and want to provide consistency with reproducible steps.

Thanks for taking the time to read my article.

If you have any questions or additions feel free to use the comment section or hit me up on LinkedIn or Twitter to get in contact with me 😊


report

Recommend

About Joyk


Aggregate valuable and interesting links.
Joyk means Joy of geeK