With the v7.4 release, npm 4 became the bundled, default package manager for Node.js. In the meantime, Facebook released their own package manager solution, called Yarn. In this article we dive into what these package managers offer, what’s the difference between them, and how they evolved.
Let’s take a look at the state of Node.js package managers and what they can do for you! I’ll also try to help you to pick one between npm and yarn!
Yarn or npm in 2018? What’s the difference?
package-lock.json is automatically generated and updated for any operations where the npm cli modifies the node_modules directory, or the package.json file. In addition to that, every
npm install automatically adds installed modules to both
package-lock.json This file is meant to be committed into the version control you are using. With this feature, npm got feature parity with yarn, when it comes to lock file support.
At the same time, yarn started to address issues that companies using mono repositories ran into. Namingly, monorepos with multiple packages, each containing a
package.json file. If you’d like to install dependencies for all of them with npm, that would include going over each directory and issuing
npm install in all of them.
To help with this process, yarn introduced workspaces. In combination with Lerna, it gives package authors a powerful toolset to manage the dependencies and of projects and also enables publishing to be a lot easier.
Which package manager to use in 2018?
If I’d start a project tomorrow, I would pick npm to manage dependencies, because:
- now it comes with lock file support,
- it does not send package usage information to Facebook (yarn uses Facebook’s npm registry mirror)
Update regarding the Yarn registry
We got contacted on Twitter by Burak Yiğit Kaya, working on the Yarn, adding relevant information to the registry Yarn uses. Here comes his tweet:
— Burak Yiğit Kaya (@madbyk) April 24, 2018
Essentially, it means that Yarn does not maintain their registry, they are just pointing their domain to the original npm registry using Cloudflare. On Cloudflare, they can see usage statistics, and the Yarn client leverages Cloudflare’s caches.
To clarify this, Yarn will add an FAQ section to their page.
Meet the Yarn package manager – a new npm alternative
Fast, reliable and secure dependency management – this is the promise of Yarn, the new dependency manager created by the engineers of Facebook.
But can Yarn live up to the expectations?
There are several ways of installing Yarn. If you have
npm installed, you can just install Yarn with npm:
npm install yarn --global
However, the recommended way by the Yarn team is to install it via your native OS package manager – if you are on a Mac, probably it will be
brew update brew install yarn
Yarn Under the Hood
Yarn has a lot of performance and security improvements under the hood. Let’s see what these are!
When you install a package using Yarn (using
yarn add packagename), it places the package on your disk. During the next install, this package will be used instead of sending an HTTP request to get the tarball from the registry.
Your cached module will be put into
~/.yarn-cache, and will be prefixed with the registry name, and postfixed with the modules version.
This means that if you install the
4.4.5 version of
express with Yarn, it will be put into
lockfiles (yarn.lock) and a deterministic install algorithm. We can say goodbye to the “but it works on my machine” bugs.
The lockfile looks like something like this:
It contains the exact version numbers of all your dependencies – just like with an npm shrinkwrap file.
Yarn comes with a handy license checker, which can become really powerful in case you have to check the licenses of all the modules you depend on.
Yarn is still in its early days, so it’s no surprise that there are some questions arising when you start using it.
What’s going on with the default registry?
By default, the Yarn CLI uses a different registry, and not the original one:
https://registry.yarnpkg.com. So far there is no explanation on why it does not use the same registry.
Does Facebook have plans to make incompatible API changes and split the community?
Contributing back to npm?
One the most logical questions that can come up when talking about Yarn is: Why don’t you talk with the CLI team at npm, and work together?
If the problem is speed, I am sure all npm users would like to get those improvements as well.
When we talk about deterministic installs, instead of coming up with a lockfile, the
npm-shrinkwrap.json should have been fixed.
npm, the Node package manager we all know
npm is the default package manager we all know, and it is bundled with each Node.js release since v7.4.
To start using npm version 4, you just have to update your current CLI version:
npm install npm -g
At the time of writing this article, this command will install npm version 4.1.1, which was released on 12/11/2016. Let’s see what changed in this version!
Changes since version 3
npm searchis now reimplemented to stream results, and sorting is no longer supported,
npm scriptsno longer prepend the path of the node executable used to run npm before running scripts,
prepublishhas been deprecated – you should use
preparefrom now on,
npm outdatedreturns 1 if it finds outdated packages,
- partial shrinkwraps are no longer supported – the
npm-shrinkwrap.jsonis considered a complete manifest,
- Node.js 0.10 and 0.12 are no longer supported,
npm doctor, which diagnose user’s environment and let the user know some recommended solutions if they potentially have any problems related to npm
Key changes in npm 5!
As you can see, the team at npm was quite busy as well – both npm and Yarn made great progress in the past years.
Conclusion: Yarn or npm?
It is great to see a new, open-source npm client – no doubt, a lot of effort went into making Yarn great!
Hopefully, we will see the improvements of Yarn incorporated into npm as well, so both users will benefit from the improvements of the others.
Yarn vs. npm – Which one to pick?
I would recommend to use npm to manage dependencies in 2018, because
it has comes with lock file support & does not send package usage information to Facebook (yarn uses Facebook’s npm registry mirror)