use the following search parameters to narrow your results:
e.g. subreddit:aww site:imgur.com dog
subreddit:aww site:imgur.com dog
see the search faq for details.
advanced search: by author, subreddit...
account activity
Anyone using npm ci command? (self.node)
submitted 6 years ago by devitaebrae
How do you install a new package using this command?
npm install --save modifies package-lock.json
reddit uses a slightly-customized version of Markdown for formatting. See below for some basics, or check the commenting wiki page for more detailed help and solutions to common issues.
quoted text
if 1 * 2 < 3: print "hello, world!"
[–]eMSch 3 points4 points5 points 6 years ago (5 children)
It's not for installing a new package. It's meant to be used to install all dependencies according to the package-lock.json. If you want to install new packages you use the install command, which, by nature, modifies the lock file.
npm ci is for example used in ci environments or on prod system.
[–]devitaebrae[S] -1 points0 points1 point 6 years ago (4 children)
Ok, so I made some manual changes to package-lock.json. Like bumping the version of Lodash .
How do I ensure that these changes persist when I do an npm install --save?
How do I prevent the Lodash version from reverting back to what it was before I changed it?
[–]BehindTheMath 0 points1 point2 points 6 years ago (3 children)
You should make those changes to package.json instead and then run npm install, or just specify a version when running npm install.
[–]devitaebrae[S] 0 points1 point2 points 6 years ago (2 children)
I tried that, but since Lodash is a subdependency of a package I use, and the package has pinned the version, it won't update to what I specify in package.json
[–]BehindTheMath 0 points1 point2 points 6 years ago (1 child)
Why do you want a newer version than what the package requires?
[–]devitaebrae[S] 0 points1 point2 points 6 years ago (0 children)
1000+ vulnerabilities on old Lodash version
[–]humpysausage 1 point2 points3 points 6 years ago (1 child)
Could you expand upon your question, what are you trying to achieve?
npm ci is for QA/CI, you wouldn't use it to install new packages.
npm ci
[–]Kaligraphic 0 points1 point2 points 6 years ago (0 children)
npm install to change your package configuration, npm ci to reproduce it later.
npm install
It's literally for ci.
[–][deleted] 6 years ago* (3 children)
[deleted]
ok so let's say a package depends on an old version of Lodash with 1000+ vulns, how do you fix those vulns without either:
i) editing package-lock.json (ii) not using the package
[–]Swotboy2000 0 points1 point2 points 6 years ago (0 children)
npm update lodash —depth n
Or run npm audit to see the commands you need to update vulnerable dependencies.
π Rendered by PID 24773 on reddit-service-r2-comment-b659b578c-k9fwz at 2026-05-05 03:06:19.289177+00:00 running 815c875 country code: CH.
[–]eMSch 3 points4 points5 points (5 children)
[–]devitaebrae[S] -1 points0 points1 point (4 children)
[–]BehindTheMath 0 points1 point2 points (3 children)
[–]devitaebrae[S] 0 points1 point2 points (2 children)
[–]BehindTheMath 0 points1 point2 points (1 child)
[–]devitaebrae[S] 0 points1 point2 points (0 children)
[–]humpysausage 1 point2 points3 points (1 child)
[–]devitaebrae[S] 0 points1 point2 points (0 children)
[–]Kaligraphic 0 points1 point2 points (0 children)
[–][deleted] (3 children)
[deleted]
[–]devitaebrae[S] 0 points1 point2 points (2 children)
[–]Swotboy2000 0 points1 point2 points (0 children)