Gergely Nemeth Co-Founder of RisingStack, EM at Uber

With the v7.4 release, npm 4 became the bundled, default package manager for Node.js. In the meantime, Facebook released their own package manager solution, called Yarn. In this article we dive into what these package managers offer, what's the difference between them, and how they evolved.

Let's take a look at the state of Node.js package managers and what they can do for you! I'll also try to help you to pick one between npm and yarn!

Yarn or npm in 2018? What's the difference?

Since the original publish date of the article (January, 2017), a lot has changed for npm and yarn too. Most importantly, with the release of npm 5, package-lock.json was added to npm.

package-lock.json is automatically generated and updated for any operations where the npm cli modifies the node_modules directory, or the package.json file. In addition to that, every npm install automatically adds installed modules to both package.json and package-lock.json This file is meant to be committed into the version control you are using. With this feature, npm got feature parity with yarn, when it comes to lock file support.

At the same time, yarn started to address issues that companies using mono repositories ran into. Namingly, monorepos with multiple packages, each containing a package.json file. If you’d like to install dependencies for all of them with npm, that would include going over each directory and issuing npm install in all of them.

To help with this process, yarn introduced workspaces. In combination with Lerna, it gives package authors a powerful toolset to manage the dependencies and of projects and also enables publishing to be a lot easier.

Which package manager to use in 2018?

If I’d start a project tomorrow, I would pick npm to manage dependencies, because:

now it comes with lock file support,

it does not send package usage information to Facebook (yarn uses Facebook’s npm registry mirror)

We got contacted on Twitter by Burak Yiğit Kaya, working on the Yarn, adding relevant information to the registry Yarn uses. Here comes his tweet:

This information is never shared with any @facebook service since @yarnpkg is detached from Facebook and is under its own multi-company & community org on GitHub. — Burak Yiğit Kaya (@madbyk) April 24, 2018

Essentially, it means that Yarn does not maintain their registry, they are just pointing their domain to the original npm registry using Cloudflare. On Cloudflare, they can see usage statistics, and the Yarn client leverages Cloudflare's caches.

To clarify this, Yarn will add an FAQ section to their page.

Meet the Yarn package manager - a new npm alternative

Fast, reliable and secure dependency management - this is the promise of Yarn, the new dependency manager created by the engineers of Facebook.

But can Yarn live up to the expectations?

Installing Yarn

There are several ways of installing Yarn. If you have npm installed, you can just install Yarn with npm:

npm install yarn --global

However, the recommended way by the Yarn team is to install it via your native OS package manager - if you are on a Mac, probably it will be brew :

brew update brew install yarn

Yarn Under the Hood

Yarn has a lot of performance and security improvements under the hood. Let's see what these are!

Offline cache

When you install a package using Yarn (using yarn add packagename ), it places the package on your disk. During the next install, this package will be used instead of sending an HTTP request to get the tarball from the registry.

Your cached module will be put into ~/.yarn-cache , and will be prefixed with the registry name, and postfixed with the modules version.

This means that if you install the 4.4.5 version of express with Yarn, it will be put into ~/.yarn-cache/npm-express-4.4.5 .

Deterministic Installs

Yarn uses lockfiles (yarn.lock) and a deterministic install algorithm. We can say goodbye to the "but it works on my machine" bugs.

The lockfile looks like something like this:

It contains the exact version numbers of all your dependencies - just like with an npm shrinkwrap file.

License checks

Yarn comes with a handy license checker, which can become really powerful in case you have to check the licenses of all the modules you depend on.

Potential issues/questions

Yarn is still in its early days, so it’s no surprise that there are some questions arising when you start using it.

What’s going on with the default registry?

By default, the Yarn CLI uses a different registry, and not the original one: https://registry.yarnpkg.com . So far there is no explanation on why it does not use the same registry.

Does Facebook have plans to make incompatible API changes and split the community?

Contributing back to npm?

One the most logical questions that can come up when talking about Yarn is: Why don’t you talk with the CLI team at npm, and work together?

If the problem is speed, I am sure all npm users would like to get those improvements as well.

When we talk about deterministic installs, instead of coming up with a lockfile, the npm-shrinkwrap.json should have been fixed.

npm, the Node package manager we all know

npm is the default package manager we all know, and it is bundled with each Node.js release since v7.4.

Updating npm

To start using npm version 4, you just have to update your current CLI version:

npm install npm -g

At the time of writing this article, this command will install npm version 4.1.1, which was released on 12/11/2016. Let's see what changed in this version!

Changes since version 3

npm search is now reimplemented to stream results, and sorting is no longer supported,

is now reimplemented to stream results, and sorting is no longer supported, npm scripts no longer prepend the path of the node executable used to run npm before running scripts,

no longer prepend the path of the node executable used to run npm before running scripts, prepublish has been deprecated - you should use prepare from now on,

has been deprecated - you should use from now on, npm outdated returns 1 if it finds outdated packages,

returns 1 if it finds outdated packages, partial shrinkwraps are no longer supported - the npm-shrinkwrap.json is considered a complete manifest,

is considered a complete manifest, Node.js 0.10 and 0.12 are no longer supported,

npm doctor , which diagnose user's environment and let the user know some recommended solutions if they potentially have any problems related to npm

Key changes in npm 5!

With the release of npm 5, package-lock.json was added to npm.

As you can see, the team at npm was quite busy as well - both npm and Yarn made great progress in the past years.

Conclusion: Yarn or npm?

It is great to see a new, open-source npm client - no doubt, a lot of effort went into making Yarn great!

Hopefully, we will see the improvements of Yarn incorporated into npm as well, so both users will benefit from the improvements of the others.

Yarn vs. npm - Which one to pick?

I would recommend to use npm to manage dependencies in 2018, because

it has comes with lock file support & does not send package usage information to Facebook (yarn uses Facebook’s npm registry mirror)