> raising an error if it’s incompatible with package.json

How? Why? What's your use-case?

Two essential use cases:

1) For local development, I’m seeking a command I can use after pulling, to safely and quickly install any needed dependencies that have been added by others. Currently I use npm ci but it’s absurdly overkill (and therefore very slow).

2) For CI itself. I cache node_modules/ across builds, which significantly speeds up my builds. Currently I npm i, and check if lockfile changed, and if it did, checkout lockfile and npm ci.

I shouldn’t need to npm ci ever unless my node_modules/ became corrupt for some reason. Because npm ci ALWAYS blows away node_modules/, it’s not a reasonable piece of everyday functionality, it’s just a semantically ambiguous way to rm -rf node_modules/ && npm i -—respect-lockfile (made up flag I wish existed). The obvious explanation is that the npm developers couldn’t figure out how to reliably reconcile node_modules/ with the lockfile, so just gave up and shipped npm ci.

Or if the rm -rf node_modules/ isn’t strictly necessary for npm ci, then give me npm ci —-skip-drop-node-modules, that would be equivalent and fine for my purposes.

if npm i is overwriting the lock file, it means someone updated the package.json, and didn't update the lock file (as in, did not install the update).

btw ci is super fast (caching) unless you have one of those modules that download the whole effing chromium after install (brain dead behavior).

I wish it were so simple. Maybe I’ve just been bit by too many bugs in npm over time, but I repeatedly see npm i change the lockfile when incrementally installing a new package that was correctly locked. Fortunately at least npm ci has always been reliable.

What do you mean ci is super fast? Is it intended to be caching the packages somewhere other than node_modules?

> I repeatedly see npm i change the lockfile when incrementally installing a new package that was correctly locked

There's been some bugs in the implementation but never had anything in the last few years, other than some people accidentally committing unapplied package.json changes, and built a precommit hook and a server-side check for that in many projects.

> What do you mean ci is super fast? Is it intended to be caching the packages somewhere other than node_modules?

Yes: https://docs.npmjs.com/cli/v6/commands/npm-cache#configurati... . If you want a more Java-like (to be more accurate, artifactory-like) experience, you can also opt-in for Verdaccio: https://verdaccio.org/ You can also use the artifactory itself: https://www.jfrog.com/confluence/display/RTF/Npm+Registry

I had more success with verdaccio though.

Quality of the packages has been discussed to death, say about that anything you like, but npm has been rock-solid for me in the last few years. Definitely not a joke IMHO.