[FEATURE] npm ci --global true is not supported

[nagilson]

Is there an existing issue for this?

• I have searched the existing issues

This issue exists in the latest npm version

• I am using the latest npm

Current Behavior

When trying npm ci --global true, the following is returned: npm ERR! npm ci does not work for global packages.

Expected Behavior

It would be nice if npm had a global package-lock.json that could be used to install global packages without dependency updates. Internally at MSFT we are doing a push to use private registries that cannot be pushed upstream automatically and it's been a large impediment that we can't lock global package installs to a specific version because our infrastructure will fail whenever a global package dependency update goes live and somebody has to go push upstream the new version.

Steps To Reproduce

Already said above.

Environment

• npm: 8.19.2
• OS Name: Windows 11

[ljharb]

Generally having global packages at all is considered an antipattern; what are your use cases where it wouldn't make sense to have a utility project-local?

(separately, you may want to file this on https://github.com/npm/rfcs instead of here)

[nagilson]

Heya, thanks for the fast response. I think it's not a great pattern either: the current reason we do is for installing vsce as part of a pipeline, https://github.com/microsoft/vscode-vsce, globally under their guidance.

For context, VSCE is a tool that packages code into a VSCode extension (.VSIX). vsce is not related to the code itself and bundling it locally with the extension source code also doesn't seem great, which is what would happen if we were to add it locally. npm is the primary endpoint for acquiring the tool atm. If you have any alternative thoughts that would be really helpful.

Is it possible to move this to /rfcs? Thanks!

[fritzy]

It's common to install dev tools as a dev dependency, even in a ci pipeline. Whatever build tool is generating the extension shouldn't bundle dev dependencies with it. Am I misunderstanding?

[fritzy]

This has been addressed in a side-channel conversation. I think it's an interesting paradigm to keep in mind; what can we do to better facilitate dev tool installation and management during integrations vs local dev builds?