Package Manager Battle
I’ve been recently working with some companies on technical challenges and projects where they’ve used different package managers than I’m used to. Package managers are used to help manage a project’s dependencies, which is a piece of code that is required for a project to work. As projects start to grow, we need help to include, remove, and update code within them, which is the purpose of the package managers. During my time at Flatiron, we typically used npm, but recently I’ve been using yarn. I’ve never understood the difference between the two nor knew the history, so I’ve decided to look into it for this blog.
What is npm? What is yarn?
Yarn stands for “Yet Another Resource Negotiator” and is a package manager developed by Facebook. The main reason for the creation of yarn was to address some of the performance and security issues of working with npm at the time of release. However, npm has since gone through improvements in these areas. As a result, there are a lot of similarities between. the two. While npm is install automatically with Node, yarn can be installed using npm.
While they have similar functions between them, there are some differences between them as well (outside of syntax, of course), with the major ones below:
Performance is an important consideration when managing a large number of packages and one of the main reasons Yarn was developed was to overcome the issues npm initially had. Through various tests, yarn is the clear winner in performance speed. The main reason is because Yarn installs multiple packages at once, while npm installs each one, one at a time. Yarn also has an offline mode feature that uses a caching mechanism for fast download of previously downloaded packages.
The other main reason Yarn was created was due to security challenges with npm. Yarn was initially regarded as more secure, but npm then introduced significant security improvements. Npm v6 now has security built-in and if code is being install with a known security vulnerability, npm will automatically issue a warning. Yarn’s security includes using checksum to verify the integrity of every package and the ability to check licenses of the installed packages.
While both package managers create a lock file (npm creates a package-lock.json file and yarn creates a yarn.lock file), that are some differences between them. NPM’s lock file is a little more complex and generates the same node_modules folder for different npm versions. Every dependency will have an exact version number associated with it. Yarn lock files help with easy merges, making them a bit more predictable. These are not recommended to be used together as they can create conflicts. Yarn, however, created a new feature to bring awareness between the package managers to allow developers with transition from npm to Yarn. Npm will eventually include this as well.
While Yarn does seem to have advantages, choosing technology that is widely adopted can aid with getting help faster when experiencing any challenges. Since npm has been out a lot longer and is the default package manager, it’s definitely more popular, but only by a little bit as Yarn is gaining traction amongst the community. Both yarn and npm are, in a way, using each other to bring themselves to the next level so choosing one or the other can be pretty difficult as it just mostly depends on requirements, tastes, and preferences.