I have a project that uses node.js 14.16.0. Both me and my teammember use that version.
I use npm 6.14.11 and my teammember uses npm 7.x.x.
This results in the package-lock.json being different; the
lockFileVersion property is 1 on my PC but 2 on theirs.
I already use
nvm and am considering to add a
.nvmrc so everyone always uses the same node version, but this doesn't fix the npm version issue.
I believe that it is a good idea to use the npm version that the installed node.js version provides. If the next big LTS release uses a new npm version, the project will switch to that. But on NPM's site they say:
npm is a separate project from Node.js, and tends to update more frequently. As a result, even if you’ve just downloaded Node.js (and therefore npm), you’ll probably need to update your npm. Luckily, npm knows how to update itself!
Which makes me believe I should always update.
But they also say:
Node.js has lots of versions! To use Node.js, and therefore npm, effectively, you’ll want to make sure that you are on a version that is supported by the Node.js team. In general, you should use the version of Node.js labelled “LTS”.
Which makes me believe I shouldn't update and just use the one node.js provides.
What is the best practice?
npm has a concept of LTS. In fact, they tag a release
lts so you can
npm install -g npm@lts and get the latest lts version, which as of this writing is 7.6.3.
npm will continue to support any major version of npm as long as it shipped with a version of node that is still supported. So they will support npm@6 until 14 goes EOL because npm@6 shipped with version 14.
That said, npm@7 is the current version of npm and it too will be supported on 14 as well for as long as 14 is supported.
If in doubt, use
npm@lts (which is version 7 as of this writing). However, if you don't really care one way or the other and don't want to force your coworker to update,
npm@6 will continue to receive updates as long as Node.js 14 is supported. I would recommend updating to the latest
npm install -g npm@6 though. Either version (
npm@7) should work just fine. You just need to pick one with your coworker to avoid the
package-lock.json churn (or not care about the lockfile churn).