With the v7.4 release, npm 4 became the bundled, default package manager for Node.js.
In the meantime, Facebook released their own package manager solution, called Yarn.
Let's take a look at the state of Node.js package managers, what they can do for you, and when you should pick which one!
Yarn - the new kid on the block
Fast, reliable and secure dependency management - this is the promise of Yarn, the new dependency manager created by the engineers of Facebook.
But can Yarn live up to the expectations?
There are several ways of installing Yarn. If you have
npm installed, you can just install Yarn with npm:
npm install yarn --global
However, the recommended way by the Yarn team is to install it via your native OS package manager - if you are on a Mac, probably it will be
brew update brew install yarn
Yarn Under the Hood
Yarn has a lot of performance and security improvements under the hood. Let's see what these are!
When you install a package using Yarn (using
yarn add packagename), it places the package on your disk. During the next install, this package will be used instead of sending an HTTP request to get the tarball from the registry.
Your cached module will be put into
~/.yarn-cache, and will be prefixed with the registry name, and postfixed with the modules version.
This means that if you install the
4.4.5 version of
express with Yarn, it will be put into
lockfiles (yarn.lock) and a deterministic install algorithm. We can say goodbye to the "but it works on my machine" bugs.
The lockfile looks like something like this:
It contains the exact version numbers of all your dependencies - just like with an npm shrinkwrap file.
Yarn comes with a handy license checker, which can become really powerful in case you have to check the licenses of all the modules you depend on.
Yarn is still in its early days, so it’s no surprise that there are some questions arising when you start using it.
What’s going on with the default registry?
By default, the Yarn CLI uses a different registry, and not the original one:
https://registry.yarnpkg.com. So far there is no explanation on why it does not use the same registry.
Does Facebook have plans to make incompatible API changes and split the community?
Contributing back to npm?
One the most logical questions that can come up when talking about Yarn is: Why don’t you talk with the CLI team at npm, and work together?
If the problem is speed, I am sure all npm users would like to get those improvements as well.
When we talk about deterministic installs, instead of coming up with a lockfile, the
npm-shrinkwrap.json should have been fixed.
Why the strange versioning?
In the world of Node.js and npm, versions starts with 1.0.0.
At the time of writing this article, Yarn is at
Is something missing to make Yarn stable? Does Yarn simply not follow semver?
npm is the default package manager we all know, and it is bundled with each Node.js release since v7.4.
To start using npm version 4, you just have to update your current CLI version:
npm install npm -g
At the time of writing this article, this command will install npm version 4.1.1, which was released on 12/11/2016. Let's see what changed in this version!
Changes since version 3
npm searchis now reimplemented to stream results, and sorting is no longer supported,
npm scriptsno longer prepend the path of the node executable used to run npm before running scripts,
prepublishhas been deprecated - you should use
preparefrom now on,
npm outdatedreturns 1 if it finds outdated packages,
- partial shrinkwraps are no longer supported - the
npm-shrinkwrap.jsonis considered a complete manifest,
- Node.js 0.10 and 0.12 are no longer supported,
npm doctor, which diagnose user's environment and let the user know some recommended solutions if they potentially have any problems related to npm
As you can see, the team at npm was quite busy as well - both npm and Yarn made great progress in the past months.
It is great to see a new, open-source npm client - no doubt, a lot of effort went into making Yarn great!
Hopefully, we will see the improvements of Yarn incorporated into npm as well, so both users will benefit from the improvements of the others.
Yarn vs. npm - Which one to pick?
If you are working on proprietary software, it does not really matter which one you use. With npm, you can use
npm-shrinkwrap.js, while you can use
yarn.lock with Yarn.
The team at Yarn published a great article on why lockfiles should be committed all the time, I recommend checking it out: https://yarnpkg.com/blog/2016/11/24/lockfiles-for-all