In the past, a simple text editor was sufficient for developers to create and manage most projects. But the WEB has changed radically since then, and today, even a fairly simple project usually has hundreds of scripts with complex nested dependencies that simply can’t be managed in an orderly fashion without an automation tool, which is where a package manager comes into play.
A package manager is a tool that automates the handling of project dependencies in various ways. For example, with the help of a package manager, packages can be installed, uninstalled, updated and upgraded, project settings can be configured, scripts can be run, and much more. All the complex and tedious work is done by the package manager, allowing developers to focus on coding.
npm is Node’s package manager, which was released in 2010 and ushered in a new era of web development. Before that, project dependencies were downloaded and managed manually. npm is what took web development to a higher level.
npm does three main things.
- a website for managing all aspects of the npm experience
- A registry for accessing the extensive public database of JavaScript packages
- a command line interface (CLI) for interacting with npm via the terminal
However, when most people talk about npm, they are usually referring to the last CLI tool. It is distributed with each new Node release as the default package manager.
yarn represents another resource negotiator. yarn package manager is an alternative to npm, released by Facebook in October 2016. yarn was originally targeted to deal with npm’s shortcomings, such as performance and security issues. yarn was quickly positioned as a secure, fast, and reliable JavaScript dependency management tool.
But the npm team learned their lesson and quickly filled in the gaps in npm by implementing the missing features.
Here’s a look at a timeline.
- 2010: npm with Node support was released.
- 2016: Yarn was released. It shows better performance than npm. It also generates
yarn.lock
files, making sharing and exact replication of repo’s easier and predictable. - 2017: NPM 5 is released. It provides automatically generated package lock
package-lock.json
files to cope withyarn.lock
. - 2018: NPM 6 is released with improved security. Now, npm checks for security vulnerabilities before installing dependencies.
- 2020: Yarn 2 and npm 7 are released. Both of these packages have great new features.
- 2021: Yarn 3 is released with various improvements.
Today, these two package managers are neck and neck in the package management race, offering similar features and functionality. However, there are still some differences that help in choosing which one to use.
Installation Comparison
As mentioned above, npm is pre-installed in Node, so there is generally no need to install npm manually.
Instead, yarn needs to be installed explicitly, first, globally
|
|
It can then be used on a per-project basis by setting the desired version in the project. The desired version is set by running the yarn set version
command in the project’s root directory at
|
|
berry
is the version number to set. If you want to update to the latest version, run.
|
|
With yarn, you can use a different version for each project. To do the same with npm, you need to install nvm (Node version manager).
Installing project dependencies
Now, let’s see how to install project dependencies. When you run npm install
, the dependencies are installed sequentially, and a detailed installation log is output in the terminal, though it is not very readable.
To install a package using yarn, run the yarn
command. yarn installs packages in parallel, which is one of the reasons it is faster than npm. If you are using yarn 1
, you will see that the installation logs output by yarn are more concise and better readable. They are arranged in a tree for ease of reading. But this has changed in versions 2 and 3, where the logs are not as intuitive and readable.
So far, it has been seen that npm and yarn have different commands for installing packages.
Command Comparison
Many commands are the same for npm and yarn, but there are also many different commands. Let’s start with the same commands.
npm init | yarn init
: create a new packagenpm run | yarn run
: run the script defined inpackage.json
npm test | yarn test
: test a packagenpm publish | yarn publish
: Publish a packagenpm cache clean | yarn cache clean
: remove all data from the cache folder
These commands make it easy to switch between the two managers, but there are a few different commands that can cause confusion.
npm install | yarn
: install dependenciesnpm install [package] | yarn add [package]
: install a packagenpm install --save-dev [package] | yarn add --dev [package]
: install a package as a development dependencynpm uninstall [package] | yarn remove [package]
: uninstall a packagenpm uninstall --save-dev [package] | yarn remove [package]
: uninstall development dependenciesnpm update | yarn upgrade
: update dependenciesnpm update [package] | yarn upgrade [package]
: update packages
yarn also has some unique commands that are not the same under npm. For example, the why
command shows the reason a package is needed: it could be a dependency, a local module, or a project dependency.
Speed and Performance
Whenever yarn or npm needs to install a package, they perform a series of tasks. In npm, these tasks are installed package by package, meaning it waits for one package to be fully installed before moving on to the next. By contrast, yarn executes these tasks in parallel, which is a significant performance improvement.
While both managers provide caching mechanisms, yarn seems to do a little better. By implementing a zero-install mode, it is able to install packages in almost no time. It caches each package and saves it on disk, so the next time this package is installed, it is not even necessary to have an Internet connection, since the package is installed offline from disk.
Although yarn has some advantages, yarn and npm are comparable in speed in their latest versions, so they are now considered indistinguishable.
Safety Comparison
One of the main criticisms of npm is in the area of security, previous versions of npm had several serious security vulnerabilities. However, starting with version 6, npm audits packages during installation and shows if any vulnerabilities are found. This check can be performed manually by running npm audit
on the installed package, and if any vulnerabilities are found, npm will give the appropriate security advice. If a security vulnerability is found, you can run npm audit fix
to fix the package vulnerability.
In terms of security, both yarn and npm use cryptographic hashing algorithms to ensure package integrity.
Feature comparison
As with the commands described above, there are some features that are common to both npm and yarn, but there are also some differences, and the main ones are described below.
Locked files generated by ####
In the package.json
file, where both npm and yarn keep track of the project’s dependencies, the version number is not always exact; instead, a range of versions can be defined. In this way, it is possible to select a major and minor version of a package, but allow npm to install the latest patches that may fix some bugs.
In the ideal state of semantic version control, the patch version would not contain any breaking changes. But the display always differs from the ideal, causing this not to be the case in real life. npm uses a strategy that may result in two machines ending up with the same package.json
file, but with different versions of packages installed, which buries the problem of possible bugs.
To avoid package version mismatches, the exact installed version is fixed in the package lock file, and each time a module is added, npm and yarn create (or update) a package-lock.json
and yarn.lock
file, respectively.
Using Workspaces
Workspaces allow having a monorepo
to manage dependencies across multiple projects, which means having a single top-level root package that contains multiple sub-packages called workspaces.
Running scripts remotely
The npx
command is used to run scripts from . /node_modules/.bin
to run scripts. It also allows packages to be executed from the npm registry without having to install them in project dependencies. For example, a new React application can be created by running the following command.
|
|
In yarn, the same result can be obtained using the equivalent dlx
command.
|
|
The following section describes the features that are unique to yarn.
Zero installation
Zero installs store the cache in the .yarn
folder in the project directory. When using commands such as yarn
or yarn add <package>
, yarn creates a .pnp.cjs
file that contains the dependency hierarchy that Node uses to load project packages. As a result, they can be accessed at almost zero time.
Plug and Play
Plug-and-play is another installation strategy. Instead of generating a node_modules
directory and leaving the resolution to Node, yarn generates a single .pnp.cjs
file that maps packages to their locations on disk and their list of dependencies. This feature leads to faster project startups, better optimized dependency trees, faster install times, and of course no need for the node_modules
folder.
Licenses
yarn includes a built-in license checker that can be used in different scenarios when developing applications.
Select which package manager
The similarities and differences between npm and yarn have been discussed above, but it is not yet determined which one is better and which one should be chosen, but as always, it is the right one for the right team or project that counts.
Here is a recommended recommendation.
- Choose npm : if you are happy with your current workflow, don’t want to install additional tools, and don’t have a lot of disk space.
- Choose yarn: if you want some great features like plug-and-play, need some features missing in npm, and have enough disk space
If it’s still hard to make a clear decision between npm and yarn, then don’t worry about it, use whichever one you want and you’ll basically be fine.
Summary
This article compares two of the most popular package managers on the market, both of which have their own pros and cons, to choose the most suitable one for your project.