Should I update my npm version or use the one node.js provides?

Question

I have a project that uses node.js 14.16.0. Both me and my teammember use that version. I use npm 6.14.11 and my teammember uses npm 7.x.x. This results in the package-lock.json being different; the lockFileVersion property is 1 on my PC but 2 on theirs.

I already use nvm and am considering to add a .nvmrc so everyone always uses the same node version, but this doesn't fix the npm version issue.

I believe that it is a good idea to use the npm version that the installed node.js version provides. If the next big LTS release uses a new npm version, the project will switch to that. But on NPM's site they say:

npm is a separate project from Node.js, and tends to update more frequently. As a result, even if you’ve just downloaded Node.js (and therefore npm), you’ll probably need to update your npm. Luckily, npm knows how to update itself!

Which makes me believe I should always update.

But they also say:

Node.js has lots of versions! To use Node.js, and therefore npm, effectively, you’ll want to make sure that you are on a version that is supported by the Node.js team. In general, you should use the version of Node.js labelled “LTS”.

Which makes me believe I shouldn't update and just use the one node.js provides.

What is the best practice?

Answer 1

npm has a concept of LTS. They used to tag a release lts so you could npm install -g npm@lts and get the latest lts version, but alas, no more.

npm will continue to support any major version of npm as long as it shipped with a version of node that is still supported. So they will support npm@6 until 14 goes EOL because npm@6 shipped with version 14.

That said, npm@7 is the current version of npm and it too will be supported on 14 as well for as long as 14 is supported.

If you don't want to force your coworker to update, npm@6 will continue to receive updates as long as Node.js 14 is supported. I would recommend updating to the latest npm@6 with npm install -g npm@6 though. Either version (npm@6 or npm@7) should work just fine. You just need to pick one with your coworker to avoid the package-lock.json churn (or not care about the lockfile churn).