Clean Install In CI: How To Freeze Your Lockfile With npm And yarn

August 4, 2020 · 1 min read

Printing Letters Photo by Arian Darvishi on Unsplash

When you're running npm install (or yarn install) locally, you'll notice that sometimes your package-lock.json (or yarn.lock) gets updated.

That's ok when running locally as you will check these changes into version control.

Fixing these versions in your build pipeline is important, because you have developed and tested your application with a specific set of dependency versions. If the dependency versions change, you might encounter bugs or other unexpected behavior

So how do you fix your versions when installing in your CI pipeline?

For npm, the answer is npm ci (ci here means clean install, not continuous integration).

For yarn, the answer is yarn install --frozen-lockfile.

(I think the yarn interface is much more predictable and easier to unterstand. It always confuses me that npm uses the same command for installing all dependencies and adding a new dependency.)

But wait, when installing for production we also don't need the devDependencies.

For npm, the full production-ready install command is npm ci --only=prod.

For yarn, you get a production install with yarn install --frozen-lockfile --production.

The same behaviour can also be reached by setting NODE_ENV to production: NODE_ENV=production npm ci and NODE_ENV=production yarn install --frozen-lockfile.