Why you should never use ‘npm install’ in your CI/CD pipelines

npm ci is clean install. This relies solely on the dependency definitions in package.json and package-lock.json, but doesn’t install it.

npm install vs update - what’s the difference?

npm update updates all the packages in the node_modules directory and their dependencies.
install - install and update with latest modules which are in package.json.

Package manager - a file that wraps up everything needed to make that software work on the system.
NPM components: registry, the website, NPM CLI.
- The largest software registry on the Internet.
- CLI - install, audit, update, npm uninstall, etc.
Yarn:
- Built by Facebook and supported by Google, Exponent, Tilde.
- Built on top of the registry, so packages published on NPM are also avail on Yarn.
Yarn architecture:
- Resolution - Yarn perform lookup on records.
- Cache lookup - Check dependencies in the cache.
- Installation - installed on node_modules or .yarn folder.
Yarn 2: Re-architecture and rewrite of the Yarn project manager.
Which is better?
- Metadata - both in package.json.
- Yarn no longer tracks dependencies in the node modules subdirectory.
- Both do security.
- npx and yarn dlx command can run scripts remotely in both NPM and Yarn.
- Speed: Yarn because it installs dependency packages in parallel.