What are the differences between Yarn and NPM? At the time of writing this question I can only find some articles on the Internet showing what's the Yarn equivalent of an NPM command.
Do they have the same functionalities (I know Yarn does local caching and looks like you only need to download a package once) but other than this is there any benefits for moving from NPM to Yarn?
Since version 5, npm
package-lock.json that fixes your entire dependency tree much the same way the yarn (or any other) locking mechanism does,--save is now implied for npm inpm 5.7.0 further introduced the npm ci command to install dependencies more quickly in a continuous integration environment by only installing packages found in the package-lock.json (reporting an error if the package-lock.json and package.json are not synchronized).
Personally, I still use npm.
I am loathe to quote directly from docs, but they do a great job of explaining why, concisely enough that I don't see how to further summarize the ideas.
Largely:
You always know you're getting the same thing on every development machine
It paralellizes operations that npm does not, and
It makes more efficient use of the network.
It may make more efficient use of other system resources (such as RAM) as well.
What are people's production experiences with it? Who knows, it's an infant to the general public.
From the get-go, the Yarn lockfile guarantees that repeatedly running yarn on the same repository results in the same packages.
Second, Yarn attempts to have good performance, with a cold cache, but especially with a warm cache.
Finally, Yarn makes security a core value.
“NPM vs Yarn Cheat Sheet” by Gant Laborde
Fast: Yarn caches every package it downloads so it never needs to again. It also parallelizes operations to maximize resource utilization so install times are faster than ever.
Reliable: Using a detailed, but concise, lockfile format, and a deterministic algorithm for installs, Yarn is able to guarantee that an install that worked on one system will work exactly the same way on any other system.
Secure: Yarn uses checksums to verify the integrity of every installed package before its code is executed.
- Offline Mode: If you've installed a package before, you can install it again without any internet connection.
- Deterministic: The same dependencies will be installed the same exact way across every machine regardless of install order.
- Network Performance: Yarn efficiently queues up requests and avoids request waterfalls in order to maximize network utilization.
- Multiple Registries: Install any package from either npm or Bower and keep your package workflow the same.
- Network Resilience: A single request failing won't cause an install to fail. Requests are retried upon failure.
- Flat Mode: Resolve mismatching versions of dependencies to a single version to avoid creating duplicates.
- More emojis. 🐈
--flat option which forces a real flat structure where only one version of each dependency is allowed to be installed, but what is the default behaviour on this? Thanks.
Commented
Nov 3, 2016 at 15:07
install -g.
Commented
Jun 18, 2017 at 2:54
Trying to give a better overview for beginners.
npm has been historically (2010) the most popular package manager for JavaScript. If you want to use it for managing the dependencies of your project, you can type the following command:
npm init
This will generate a package.json file. It contains all the dependencies of the project.
Then
npm install
would create a directory node_modules and download the dependencies (that you added to the package.json file) inside it.
It will also create a package-lock.json file. This file is used to describe the tree of dependecies that was generated. It allows developpers to install exectly the same dependencies. For example, you could imagine a developper upgrading a dependency to v2 and then v3 while another one directly upgrading to v3.
npm installs dependencies in a non-deterministically way meaning the two developper could have a different node_modules directory resulting into different behaviours. **npm has suffered from bad reputation as for example
in February 2018: an issue was discovered in version 5.7.0 in which running sudo npm on Linux systems would change the ownership of system files, permanently breaking the operating system.
To resolve those problems and others, Facebook introduced a new package manager (2016): Yarn a faster, more securely, and more reliably package manager for JavaScript.
You can add Yarn to a project by typing:
yarn init
This will create a package.json file. Then, install the dependencies with:
yarn install
A folder node_modules will be generated. Yarn will also generate a file called yarn.lock. This file serve the same purpose as the package-lock.json but is instead constructed using a deterministic and reliable algorithm thus leading to consistant builds.
If you started a project with npm, you can actually migrate to Yarn easily. yarn will consume the same package.json. See Migrating from npm for more details.
However, npm has been improved with each new releases and some projects still uses npm over yarn.
The answer by @msanford covers almost everything, however, I'm missing the security (OWASP's Known Vulnerabilities) part.
Yarn
You can check them using yarn audit, however, you cannot fix them. This is still an open issue on a GitHub (https://github.com/yarnpkg/yarn/issues/7075).
npm
You can use npm audit fix, so some of them you can fix by yourself.
Both of them, i.e. npm audit & yarn audit have their own Continuous Integration tools. These are respectively https://github.com/IBM/audit-ci (used, works great!) and https://yarnpkg.com/package/audit-ci (haven't used).
npm:
Yarn:
When you install a package using Yarn (using yarn add packagename), it places the package on your disk. During the next install, this package will be used instead of sending an HTTP request to get the tarball from the registry.
Yarn comes with a handy license checker, which can become really powerful in case you have to check the licenses of all the modules you depend on.
If you are working on proprietary software, it does not really matter which one you use. With npm, you can use npm-shrinkwrap.js, while you can use yarn.lock with Yarn.
For more information please read the following blog
https://blog.risingstack.com/yarn-vs-npm-node-js-package-managers/
Yarn
Advantages::
Supports features like parallel installation and Zero-Install results in better performance
More secure
Large active user community
Disadvantages::
Doesn’t work with older versions of Node.js (lower than version 5)
Problems with installing native modules
NPM
Advantages::
Ease of use, especially for developers working with older versions.
Optimized local package installation to save hard drive space.
Disadvantages::
Conclusion:
Is Yarn better than NPM?
In terms of speed and performance Yarn is better than NPM because it performs the parallel installation. Yarn is still more secure than NPM. However, Yarn uses more disk space than NPM.
Yarn since version 4 includes a command yarn upgrade-interactive. Previously it had to be installed manually, but now this core plugin is built-in. It has a great CLI interface enabling you to pick the update version, possibly upgrading to new major version of your dependency. In npm, there is no such command. Closest NPM equivalent is 3rd party package npm-check-updates which has to be installed manually.
NPM has npm link command which actually works. It enables you to 'install' local package - usually a library - to be tested in other local project where you use it. This command is known to be problematic or non-working in yarn.
Other advantage of yarn was great tooling for workspace management, making it even comparable to lerna, but since version 8, even the npm has usable workspace utilities.
