What is the difference between npm install and npm ci

npm install和npm ci是Node.js生态系统中常用的两个命令，它们都用于安装依赖项，但是它们的工作方式和用途略有不同：

1. npm install:

   • 用途：npm install是最常用的命令之一，用于安装依赖项。它根据package.json文件中列出的依赖项来安装模块，并且可以更新package-lock.json文件。
   • 行为：npm install会根据package.json或npm-shrinkwrap.json中定义的依赖版本范围来查找并安装最新版本的依赖。如果package-lock.json存在，它也会考虑这个文件，但是它允许根据package.json中指定的语义版本控制规则更新依赖项。
   • 例子：如果你的package.json文件指定了某个包的版本为^1.0.0，这意味着运行npm install时可以安装这个包的任何1.x.x版本，只要这个版本是最新的并且满足package.json中的约束。

2. npm ci:

   • 用途：npm ci（ci代表Continous Integration持续集成）主要用在自动化环境中，比如测试平台、持续集成和部署流程。这个命令需要在存在package-lock.json或npm-shrinkwrap.json文件的情况下运行。
   • 行为：npm ci会忽略package.json中的依赖项版本，而是严格根据package-lock.json或npm-shrinkwrap.json文件来安装依赖项的特定版本。这确保了在不同环境和开发人员之间的一致性。
   • 速度：npm ci通常比npm install更快，因为它跳过了某些面向用户的功能，如更新package-lock.json文件或安装新版本的包。
   • 例子：如果你将项目的代码库和package-lock.json文件一起部署到持续集成服务器上，运行npm ci将确保服务器上安装的依赖项与你在本地开发环境中使用的完全相同。

总之，如果你希望在本地开发环境中安装或更新依赖项，通常会使用npm install。而如果你在自动化环境中，需要一个可重复的、确定的依赖项安装过程，就会使用npm ci。

From the official documentation for npm ci:

In short, the main differences between using npm install and npm ci are:

• The project must have an existing package-lock.json or npm-shrinkwrap.json.
• If dependencies in the package lock do not match those in package.json, npm ci will exit with an error, instead of updating the package lock.
• npm ci can only install entire projects at a time: individual dependencies cannot be added with this command.
• If a node_modules is already present, it will be automatically removed before npm ci begins its install.
• It will never write to package.json or any of the package-locks: installs are essentially frozen.

Essentially, npm install reads package.json to create a list of dependencies and uses package-lock.json to inform which versions of these dependencies to install. If a dependency is not in package-lock.json it will be added by npm install.

npm ci (also known as Clean Install) is meant to be used in automated environments — such as test platforms, continuous integration, and deployment — or, any situation where you want to make sure you're doing a clean install of your dependencies.

It installs dependencies directly from package-lock.json and uses package.json only to validate that there are no mismatched versions. If any dependencies are missing or have incompatible versions, it will throw an error.

Use npm install to add new dependencies, and to update dependencies on a project. Usually, you would use it during development after pulling changes that update the list of dependencies but it may be a good idea to use npm ci in this case.

Use npm ci if you need a deterministic, repeatable build. For example during continuous integration, automated jobs, etc. and when installing dependencies for the first time, instead of npm install.

npm install

• Installs a package and all its dependencies.
• Dependencies are driven by npm-shrinkwrap.json and package-lock.json (in that order).
• without arguments: installs dependencies of a local module.
• Can install global packages.
• Will install any missing dependencies in node_modules.
• It may write to package.json or package-lock.json.
  • When used with an argument (npm i packagename) it may write to package.json to add or update the dependency.
  • when used without arguments, (npm i) it may write to package-lock.json to lock down the version of some dependencies if they are not already in this file.

npm ci

• Requires at least npm v5.7.1.
• Requires package-lock.json or npm-shrinkwrap.json to be present.
• Throws an error if dependencies from these two files don't match package.json.
• Removes node_modules and install all dependencies at once.
• It never writes to package.json or package-lock.json.

Algorithm

While npm ci generates the entire dependency tree from package-lock.json or npm-shrinkwrap.json, npm install updates the contents of node_modules using the following algorithm (source):

shell
load the existing node_modules tree from disk
clone the tree
fetch the package.json and assorted metadata and add it to the clone
walk the clone and add any missing dependencies
  dependencies will be added as close to the top as is possible
  without breaking any other modules
compare the original tree with the cloned tree and make a list of
actions to take to convert one to the other
execute all of the actions, deepest first
  kinds of actions are install, update, remove and move

npm ci will delete any existing node_modules folder and relies on the package-lock.json file to install the specific version of each package. It is significantly faster than npm install because it skips some features. Its clean state install is great for ci/cd pipelines and docker builds! You also use it to install everything all at once and not specific packages.

While everyone else has answered the technical differences none explain in what situations to use both.

You should use them in different situations.

npm install is great for development and in the CI when you want to cache the node_modules directory. When to use this? You can do this if you are making a package for other people to use (you do NOT include node_modules in such a release). Regarding the caching, be careful, if you plan to support different versions of Node.js remember that node_modules might have to be reinstalled due to differences between the Node.js runtime requirements. If you wish to stick to one version, stick to the latest LTS.

npm ci should be used when you are to test and release a production application (a final product, not to be used by other packages) since it is important that you have the installation be as deterministic as possible, this install will take longer but will ultimately make your application more reliable (you do include node_modules in such a release). Stick with LTS version of Node.js.

npm i and npm ci both utilize the npm cache if it exists, this cache lives normally at ~/.npm.

Also, npm ci respects the package-lock.json file. Unlike npm install, which rewrites the file and always installs new versions.

Bonus: You could mix them depending on how complex you want to make it. On feature branches in git you could cache the node_modules to increase your teams productivity and on the merge request and master branches rely on npm ci for a deterministic outcome.

• npm ci - install exactly what is listed in package-lock.json
• npm install - without changing any versions in package.json, use package.json to write package-lock.json, then install exactly what is listed in package-lock.json
• npm update - similar to npm install but will also install updates for "blurred version" stuff (e.g. *, ^1.2.3)
• npx npm-check-updates -u; npm install - Will try to update absolutely everything to the latest version. Be careful of breaking changes when using this one.

Or said a different way, npm ci changes 0 package files, npm install and npm update change 1 package file (package-lock.json), and npx npm-check-updates -u; npm install changes 2 package files (package.json and package-lock.json).

The documentation you linked had the summary:

In short, the main differences between using npm install and npm ci are:

• The project must have an existing package-lock.json or npm-shrinkwrap.json.
• If dependencies in the package lock do not match those in package.json, npm ci will exit with an error, instead of updating the package lock.
• npm ci can only install entire projects at a time: individual dependencies cannot be added with this command.
• If a node_modules is already present, it will be automatically removed before npm ci begins its install.
• It will never write to package.json or any of the package-locks: installs are essentially frozen.