[fendy3002]

Exactly what I said, I have experience with ~ but not with ^ and have never used it. Let's say that you have a package version ~1.2.11 and have 1.2.11 as installed version in package lock. Then if let's say 1.2.13 is out there, npm install will update package lock to that one. npm ci won't change that. package.json file will kept unchanged though.

[rezonant]

No, "npm install" doesn't actually do that. In the situation you are talking about, "npm install" and "npm ci" behave the same.

It makes sense that they behave the same here right? What is the point of a package lock if just installing packages on a new copy of a codebase updates the dependencies?

Package locks aren't just about deploying: As a developer, I need to be assured that the code I'm running is the same as my coworker.

[fendy3002]

Hmm weird, I remember it changed on the older version though, which is why npm ci is introduced.

[rezonant]

Yes I think you are right when NPM first introduced it, which was in NPM 5 [1]. At that time package locks were new.

Node 16 shipped with NPM 8, and by then this was not the behavior any more. I don't remember exactly when, but I believe it might've been in NPM 7 when this changed. Node 15 would have been the first release to ship with at least NPM 7 [2]

EDIT: Node 16.0.0 shipped with NPM 7.8.0

https://github.com/nodejs/node/blob/main/doc/changelogs/CHAN...

EDIT 2: A StackOverflow confirming NPM 5 behaved the way you remember: https://stackoverflow.com/questions/45022048/why-does-npm-in...

EDIT 3: And, as that SO documents, 5.4.2 changed the behavior to prevent this, here's the GitHub issue: https://github.com/npm/npm/issues/17979#issuecomment-3327012...

Honestly no guarantees it worked as intended right at that release, but the intention is clear.

EDIT 4: I realize that the following may present retort but it matches my mental model perfectly:

> If you manually edit your package.json to have different ranges and run npm i and those ranges aren't compatible with your package-lock.json then the latter will be updated with version that are compatible with your package.json. Further runs of npm i will be as with 2 above.

This is what I've mentioned elsewhere: You should not update package.json's versions and deploy it and expect that versions won't change when NPM install runs. In fact, npm ci will just fail in this situation, which is a Good Thing (TM), and is documented as such.

LAST EDIT SRSLY:

It is conceivable, especially given OPs other red flags, that perhaps they were on an older Node/NPM like Node 14.

That's another practice that I regularly do, pin NPM itself in deploy scripts. While I was using Node 14, I was using NPM 8, because you can just "npm i npm@8 -g" to upgrade your NPM regardless of Node version.

[1] https://blog.npmjs.org/post/171556855892/introducing-npm-ci-...

[2] https://nodejs.org/en/about/previous-releases

[fendy3002]

Woah thanks for very detailed answer! So yeah it's an old behavior then.