When you're running
npm install (or
yarn install) locally, you'll notice that sometimes your
yarn.lock) gets updated.
That's ok when running locally as you will check these changes into version control.
Fixing these versions in your build pipeline is important, because you have developed and tested your application with a specific set of dependency versions. If the dependency versions change, you might encounter bugs or other unexpected behavior
So how do you fix your versions when installing in your CI pipeline?
For npm, the answer is
npm ci (ci here means clean install, not continuous integration).
For yarn, the answer is
yarn install --frozen-lockfile.
(I think the yarn interface is much more predictable and easier to unterstand. It always confuses me that npm uses the same command for installing all dependencies and adding a new dependency.)
But wait, when installing for production we also don't need the
For npm, the full production-ready install command is
npm ci --only=prod.
For yarn, you get a production install with
yarn install --frozen-lockfile --production.
The same behaviour can also be reached by setting
NODE_ENV=production npm ci and
NODE_ENV=production yarn install --frozen-lockfile.