diff --git a/internal/npm_install/npm_install.bzl b/internal/npm_install/npm_install.bzl
index 17d21b7c53..87aa139014 100644
--- a/internal/npm_install/npm_install.bzl
+++ b/internal/npm_install/npm_install.bzl
@@ -208,7 +208,11 @@ def _npm_install_impl(repository_ctx):
     is_windows_host = is_windows_os(repository_ctx)
     node = repository_ctx.path(get_node_label(repository_ctx))
     npm = get_npm_label(repository_ctx)
-    npm_args = ["install"] + repository_ctx.attr.args
+
+    # Use npm ci to have hermetic installs that only install the exact version
+    # from the package-lock.json file. To update or install a different version
+    # use the bazel managed binary `bazel run @nodejs//:npm install`.
+    npm_args = ["ci"] + repository_ctx.attr.args
 
     # If symlink_node_modules is true then run the package manager
     # in the package.json folder; otherwise, run it in the root of