In the past, a simple text editor was enough for developers to create and manage most projects. But the WEB has changed dramatically since then, and today even a fairly simple project often has hundreds or thousands of scripts with complex nested dependencies that simply can’t be managed in order without automated tools, where a package manager is needed.
The package manager is a tool that automates project dependencies in a variety of ways. For example, with the help of the package manager, you can install, uninstall, update, and upgrade packages, configure project Settings, run scripts, and so on. All the complicated and tedious work is done by the package manager, leaving developers to focus on coding.
NPM, the package manager for Node, was released in 2010 and ushered in a new era of Web development. Prior to this, project-dependent libraries were manually downloaded and managed, but NPM took WEB development to the next level.
NPM does three main things:
- A website for managing all aspects of the NPM experience
- A registry for accessing a wide range of JavaScript package common databases
- Command line interface (CLI) for interacting with NPM through terminals
However, when most people talk about NPM, they usually mean the last CLI tool. It ships with each new Node release as the default package manager.
Yarn represents another resource negotiator. Yarn Package Manager is an alternative to NPM and was released by Facebook in October 2016. Yarn’s original goal was to address NPM’s shortcomings, such as performance and security issues. Yarn was quickly positioned as a secure, fast, and reliable JavaScript dependency management tool.
But the NPM team learned its lesson and quickly filled in the gaps in NPM by implementing missing features.
Here’s a timeline:
- 2010: NPM support for Node is released.
- 2016: Yarn is released. It shows better performance than NPM. It will also generate
yarn.lock
Files that make sharing and exact copy repo easier and more predictable. - 2017: NPM 5 is released. It provides automatically generated locks
package-lock.json
File to deal withyarn.lock
. - 2018: NPM 6 release improves security. NPM now checks for security vulnerabilities before installing dependencies.
- 2020: Yarn 2 and NPM 7 are released. Both packs have great new features.
- 2021: Yarn 3 releases various improvements.
Today, the two package managers are neck and neck in the package management race, offering similar features and functionality. But there are still some differences that contribute to the choice of use.
Install more
Start with the installation process of NPM and YARN.
Install package manager
As mentioned above, NPM is pre-installed in Node, so you generally don’t need to install NPM manually.
Instead, YARN requires explicit installation. First, install YARN globally:
npm install -g yarn
Copy the code
It can then be used on a project-by-project basis by setting the required version in the project. Set the required version by running the yarn set version command in the root directory of the project:
yarn set version berry
Copy the code
Berry is the version number to set. To update to the latest version, run:
yarn set version latest
Copy the code
With YARN, you can use a different version for each project. To implement the same requirements for NPM, you need to install NVM (Node version manager).
Installation project dependencies
Now, let’s look at how to install project dependencies. When NPM Install is run, the dependencies are installed sequentially, and a detailed installation log is printed on the terminal, although it is not readable.
To use the YARN installation package, run the yarn command. Yarn installs packages in parallel, which is one of the reasons it is faster than NPM. If yarn 1 is being used, installation logs generated by YARN are concise and easy to read. They are arranged in a tree for easy reading. This has changed in versions 2 and 3, however, where the logs are less intuitive and readable.
So far, you have seen that NPM and YARN have different installation package commands.
Command is
NPM and YARN have many of the same commands, but also many different commands. Let’s look at the same command first:
npm init | yarn init
: Creates a new packagenpm run | yarn run
Run:package.json
The script defined innpm test | yarn test
: Tests a packagenpm publish | yarn publish
: Release a packagenpm cache clean | yarn cache clean
: Deletes all data from the cache folder
These commands make switching between the two managers easy, but there are a few different commands that can cause confusion.
npm install | yarn
: Install dependenciesnpm install [package] | yarn add [package]
: Installs a packagenpm install --save-dev [package] | yarn add --dev [package]
: Installation package as development dependencynpm uninstall [package] | yarn remove [package]
: Uninstalls a packagenpm uninstall --save-dev [package] | yarn remove [package]
: Uninstalls the development dependency packagenpm update | yarn upgrade
: Updated dependenciesnpm update [package] | yarn upgrade [package]
: update
Yarn also has some unique commands that are not the same under NPM. For example, the why command shows why a package is needed: it could be a dependency, a local module, or a project dependency.
Speed and performance
Each time YARN or NPM needs to install a package, they perform a series of tasks. In NPM, these tasks are installed package by package, meaning that it waits for one package to be fully installed before moving on to the next. In contrast, YARN executes these tasks in parallel, which improves performance significantly.
While both managers provide caching mechanisms, YARN seems to do a better job. By implementing zero-install mode, it can install packages in almost no time. It caches each package and saves it on disk, so the next time you install this package, you don’t even need an Internet connection because the package is installed offline from disk.
Despite some of YARN’s advantages, yarn and NPM are comparable in speed in their latest versions, so it is now neck and neck.
Safety comparison
One of the main criticisms of NPM is in terms of security, with previous versions of NPM having several serious security holes. However, starting with version 6, NPM audits the package during installation and shows if any vulnerabilities have been found. This check can be performed manually by running NPM Audit on installed software packages to make security recommendations if any vulnerabilities are found. If security vulnerabilities are found, you can run NPM Audit Fix to fix package vulnerabilities.
In terms of security, BOTH YARN and NPM use cryptographic hashing algorithms to ensure packet integrity.
Functional comparison
As described above, some features are common to NPM and YARN, but there are some differences. The main differences are described below.
Lock file generated
In package.json files, where both NPM and YARN track project dependencies, version numbers are not always accurate, but instead, a series of versions can be defined. In this way, you can select the major and minor versions of a package, but allow NPM to install the latest patches that may fix some bugs.
In an ideal state of semantic versioning, the patched version does not contain any damaging changes. But the presentation is always different from the ideal, resulting in the reality is not so. The strategy adopted by NPM can result in two machines ending up with the same package.json file but installing different versions of packages, which opens up potential bugs.
NPM and YARN create (or update) package-lock.json and yarn.lock files, respectively, each time a module is added.
Use a workspace
Workspaces allow you to have a MonorePO to manage dependencies across multiple projects, which means there is a single top-level root package with multiple subpackages called workspaces.
Remotely running scripts
The NPX command is used to run scripts from./node_modules/. Bin. It also allows packages to be executed from the NPM registry without having to install them in project dependencies. For example, you can create a new React application by running the following command:
npx create-react-app my-app
Copy the code
In YARN, you can use the equivalent DLX command to get the same result:
yarn dlx create-react-app my-app
Copy the code
The following describes the unique yarn functions.
Zero install
Zero installation stores the cache in the.yarn folder in the project directory. When you use commands such as YARN or yarn add
Plug and play
Plug and play is another installation strategy, where instead of generating the node_modules directory and leaving parsing to Node, YARN generates a single.pnp.cjs file that maps packages to their location on disk and a list of their dependencies. This feature can lead to faster project launches, better optimized dependency trees, faster installation times, and of course no node_modules folder.
Licenses
Yarn includes a built-in license checker that can be used in different scenarios when developing applications.
Select which package manager
The similarities and differences between NPM and YARN have been discussed above, but it has not been decided which is better and which should be chosen, but again, it is the right team or project that matters most.
Here is a recommended suggestion:
- Choose NPM: If you are happy with your current workflow, don’t want to install additional tools, and don’t have a lot of disk space.
- Choose YARN: If you want some great features, such as plug and play, you need some features that are missing from NPM, and you have plenty of disk space
If it is still difficult to make a clear decision between NPM and YARN, then don’t worry, either one will suffice.
conclusion
Package managers are very important for modern Web development. This article compares the two most popular package managers on the market, both of which have their own advantages and disadvantages, and selects the most suitable one for the project.