Here https://github.blog/2021-02-02-npm-7-is-now-generally-available/ it's said:
The lockfile v2 unlocks the ability to do deterministic and reproducible builds to produce a package tree.
But I wonder is it the default behavior now for npm 7? That is, if there is a package-lock.json will npm install update top-most packages with imprecise versions like ^1.0.0 from package.json or it will always work the same way as yarn does?
If npm install is deterministic now, will I be right if I say that npm ci is mostly an equivalent of
rm -rf node_modules && npm install
with some additional checks?
Short Answer:
Yes!
Longer Answer:
Provided you have a package-lock.json or a yarn.lock file, both npm or yarn, respectively, do yield deterministic results.
One thing to note here is that yarn, using yarn.lock file, however, yields deterministic builds only for a specific version of yarn.
Yarn installs are guaranteed to be deterministic given a single combination of yarn.lock and Yarn version. It is possible that a different version of Yarn will result in a different tree layout on disk.
Whereas npm's algorithms allow it to yield deterministic results even for different versions of the npm because npm tree building contract is entirely specified by the package-lock.json file.
You can find a more detailed explanation of the two in this Blog