npm ci is a great command for continue integration.
I believe it can be further improved by make it only require a valid package-lock.json (without package.json).
So that when people do ci with docker they could modify there Dockerfile to
ADD package-lock.json . RUN npm ci ADD pacakge.json .
So the node_modules could take the advantage of cache when no dependencies is changed, even if other part of package.json has been modified, e.g. a version bump, cache is still available.
This change lost the ability to check the consistency between package.json and package-lock.json. But it could be with another command, suppose it will be called
npm ci verify-lock-file, then Dockerfile could be written as
ADD package-lock.json . RUN npm ci ADD pacakge.json . RUN npm ci verify-lock-file