Change npm install to npm ci
#433
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Running `npm install` will change the dependencies in node_modules and what is listed in package-lock.json if the dependencies in package-lock.json don't match the dependency tree possible for the versions specified in package.json. Running `npm ci` deletes node_modules at the start and installs exactly what's in package-lock.json, irrelevant of whether any sub-dependencies of the packages listed in package.json have newer versions allowed by their semver ranges or not. A nicer way to explain might be this example: If the 'standard' package changes by a patch version and we run `npm install`: 1. its version includes the '^' prefix so allows patch and minor version bumps 2. the new version would be installed into node_modules 3. package-lock.json would be updated to reference the new version 4. `npm install` is then run on the new version of 'standard', checking for the latest versions of its dependencies allowed and installing them, all the way down the tree If the 'standard' package changes by a patch version and we run `npm ci`: 1. the node_modules folder is emptied 2. all the dependencies listed in package-lock.json are installed at the versions specified So in the second example, `npm ci` ignores the new patched version because it only goes by what's in package-lock.json. I think we want the later behaviour, because it splits updates out into a separate step and stops them happening during gem installation. References: - https://docs.npmjs.com/cli/v11/commands/npm-install - https://docs.npmjs.com/cli/v11/commands/npm-ci
tombye
added a commit
that referenced
this pull request
Sep 17, 2025
Patch release to change the method of installation npm uses: #433
Merged
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What’s changed
Change uses of
npm installin the gemspec file to instead usenpm ci, to ensure no npm packages used by the gem get updated when the gem is installed.Identifying a user need
Users of the gem should be able to know, and query, which npm packages the gem will install on their machine/environment at any given time. This is easy to do with
npm ci, because it just installs what's inpackage-lock.jsonfrom scratch whereasnpm installwill install whatever npm packages satisfy the versions specified inpackage.json.Notes for reviewers
Please check the logic behind these changes, described in the commit message, before approving. These changes make the assumption that the only difference this will make to users of the gem is the lack of any changes to the npm packages in their node_modules folder.