This article helps you understand what exactly package managers are, how Yarn vs NPM compare to each other and which features make working with one better over the other.
Table of contents
What is a package manager?
What is NPM?
➤ What is NPM package manager used for?
What is Yarn?
➤ What is Yarn package manager used for?
➤ Yarn 2: The latest version of Yarn
Yarn vs. NPM: Which one is better?
Package managers or Package Management Systems are collections of tools that help you install, remove, modify, upgrade, configure computer programs, as well as audit dependencies and report which ones should be upgraded to mitigate potential vulnerabilities. In today's world, developers rely on packaged software, which means that the software comes within one single file that wraps up everything needed to make that software work on our system. If not everything, it at least contains references to where the system can obtain the information it needs.
To tell a package management system how to deal with what's inside, the packages contain:
- Source code
- Pre-built binaries
The scripts and metadata, for instance, answer questions like:
- Does the software need to be transferred to a separate folder?
- Does it need to be compiled?
- Does it have any dependencies or prerequisites that should be met by installing other software for it to function properly?
- What should be done before or after compiling or moving the files to their final destination?
All of the information needed to answer these questions are bundled up in a package, like Yarn or NPM. Now, let's look at each of these package managers.
NPM is commonly used to publish, locate, install, and develop Node programs and applications. For that, it makes use of multiple different components:
- NPM Registry
- The npmjs.com website
- NPM command-line tool
- NPM, Inc.
Instead of writing your application entirely from scratch, you can use modules published to NPM to aid you in your development process. For instance, Express.js is the most popular server framework for Node.js - you can download it from NPM and have a server running in just a few lines of code.
This availability of reusable modules helps speed up Node.js development significantly by reducing the amount of application-specific code you have to write.
With the incredible volume of packages available in the registry, finding the right one to solve your problem may be challenging. But this is where the NPM website comes in handy.
<a href="www.npmjs.com"; target="_blank">npmjs.com is the web front-end to the NPM registry. It is the central place to search through all available public packages in the NPM ecosystem.
Each package in the registry has its own page on the NPM website. You can view package details, usage statistics, links to the packages repository, issue tracker, and other metadata about each package. This information is very helpful when deciding on a package for your application.
Because anyone can publish to the NPM registry, there is no quality guarantee for any particular package. So, when possible, we suggest you choose a popular, actively maintained package that focuses on the problem you are trying to solve more specifically.
NPM command-line tool
The NPM command-line (CLI) tool is the default package manager bundled with Node.js. It helps you install and manage dependencies for your Node.js project. It is responsible for fetching packages from the NPM registry and installing them into your
node_modules directory, where they are accessible from your code.
NPM will also update the dependencies listing in your
package.json file when installing new dependencies, which is the heart of any Node project.
It is important to mention that the NPM CLI is useful beyond installing dependencies. It is with you during all stages of the development cycle, helping you create, run, manage, and share Node.js packages and applications. There are a lot of commands available, but here are some of the most important ones:
npm install- Helps you install dependencies for your project.
npm init- Used to generate a
npm audit- Asks for a report of known vulnerabilities.
npm update- Helps you update the installed versions of your dependencies.
npm uninstall- Removes dependencies from both
npm run- Help you run scripts set up in your
npm start- Runs your project's start script.
npm publish- Publishes your package to the NPM registry.
NPM Incorporated, The Company is responsible for hosting and maintaining the NPM registry and npmjs.com.
NPM began as an open-source project created in 2009. Since then, it has grown substantially. In 2014, NPM Inc. was founded to support the NPM registry as a sustainable free service.
The company's main for-profit product offers private publishing packages to the NPM registry for internal use by companies, teams, and enterprise businesses. However, a paid account is purely optional, and NPM remains a free service that you are not required to register for.
As already mentioned, the NPM registry is a critical part of the JavaScrip ecosystem, and it is important to understand who is in charge of that ecosystem. Currently, that is NPM Inc., as they control the registry and make decisions about the future of NPM.
Like NPM, Yarn allows you to use and share code with other developers worldwide, so you don't have to reinvent the wheel, i.e., you can use code that other developers have written and published. This makes it easier for you to build software by allowing you to utilize other developers' answers to specific problems.
Since Yarn is built on top of NPM's registry, packages published on NPM are also available on Yarn, which helps for a seamless upgrade.
The role of package managers like Yarn is to allow you to install features in your project quickly and safely; this is also done via command-line instructions.
Whenever a feature is added, it downloads the necessary code from a repository and adds it to the project, as well as adds the necessary references in case the package needs other libraries as a dependency to work properly. Yarn, therefore, is a package manager that installs, changes, and deletes features in web applications. It is also an open-source tool that emerged to improve some issues that NPM presents, like the slowness and impossibility of installing packages offline.
A particularity of Yarn's architecture is the way of installing the packages, which is done in three distinct stages:
- Resolution - Where Yarn performs lookups on records to check for existing dependencies.
- Cache lookup - Yarn looks for required dependencies in the cache to see if they have already been downloaded. If they don't exist, they are first downloaded to the cache.
- Installation - Finally, the dependencies are installed in the "
.yarn"folder, depending on the version (Yarn 2, which we will cover shortly), and updated in the Yarn control files.
Since Yarn gives you access to the same packages as NPM, its dependency commands are very similar:
yarn add- Adds a package to your existing package.
Yarn init- Starts the package development process.
yarn install- Installs all of the package's dependencies in the
yarn publish- Sends a package to the package management system.
yarn remove- Removes an unnecessary package from the current package.
Yarn 2 is a significant re-architecture and re-write of the Yarn project manager. It is improved on various features from the original Yarn and has newly added ones, defaulting to a unique package install method called Plug’n’Play.
Yarn 2’s improved features include:
- Has more advanced support for workspaces.
- A new command called
yarn dlxcan be used to run one-off scripts.
- It is highly modular and allows for easy plugin development, being much simpler in case you want to extend it. Note that some of the chore functionalities of Yarn are implemented as plugins.
- The use of Plug’n’Play (PNP) as the default install strategy. PNP is different from the current package installation method, as we will see below.
Yarn version 1 and NPM both handle dependencies in a similar way. They keep project metadata in the
package.json file, which is stored in the project's subdirectory -
Yarn no longer tracks dependencies in the node modules subdirectory as of version 2. Yarn 2.0, on the other hand, employs the Plug'n'Play functionality, which creates a single
.pnp.cjs file. This file shows a diagram of a project's dependency hierarchy.
Yarn installs dependencies using the
yarn command. It installs dependencies concurrently, i.e., in parallel, allowing you to add multiple files simultaneously. When you install dependencies, a lock file is created that stores the precise list of dependencies used for the project. This file is known as
NPM installs dependencies one by one through the
npm install command.
NPM also produces a
package-lock.json version lock file. This file is also supported by Yarn, allowing users to move version data from NPM to Yarn.
While downloading packages, Yarn does a security check in the background. It uses the package licensing information to avoid downloading dangerous scripts or causing dependency issues.
To ensure secure data flow, both employ encryption techniques. Yarn validates packages using checksums, whereas NPM utilizes the
package-lock.json file's SHA-512 (Secure Hash Algorithm).
In early versions of NPM, security issues were a major concern. Now, every time you install a package, NPM does a security assessment as of version 6. This helps to avoid vulnerabilities and assures that no dependencies are incompatible.
npm audit command may also be used to do a manual audit. If NPM discovers any vulnerabilities, use
npm audit fix to repair the problems.
Yarn and NPM share several fundamental features:
Creating lock files - Both package managers produce a version lock file by default. This file is referred to as
yarn.lockin Yarn and
Remote scripts - Using the
npxcommand in NPM and the
yarn dlxcommand in Yarn, you can run scripts remotely in both NPM and Yarn.
Using workspaces - Yarn and NPM both enable workspaces, which allow you to manage dependencies for various projects from a single repository.
As already mentioned above, Yarn's unique features include:
Plug'n'Play - Yarn produces a single
.pnp.cjsfile that maps project dependencies instead of utilizing the node modules folder. This results in more streamlined dependency trees and quicker project launch and package installation.
Zero installation - Works with Plug'n'Play, as it uses the
.pnp.cjsfile to map packages stored in the offline cache. This allows you to quickly retrieve and install packages that have been saved.
License check - Yarn has a built-in licensing checker when obtaining and installing packages.
As previously stated, Yarn installs dependency packages in parallel, whereas NPM installs them sequentially. As a result, Yarn outperforms NPM when installing bigger files.
Both tools can save dependent files to the offline cache. This allows users to install dependencies even when they are not connected to the internet.
Yarn also uses the Zero install functionality starting with version 2. This functionality leverages the dependency map from the
.pnp.cjs file to do an offline dependency install with zero delays.
Considering the differences and features covered between Yarn vs NPM, NPM is preferable for developers familiar with and happy with its current workflow. It offers a decent user experience while also saving hard drive space.
Yarn has more complex components like Plug'n'Play and Zero installation through Yarn 2. It also improves performance and security, although at the expense of hard disk capacity.
As we can see, both technologies are used in similar ways, so you should analyze the priority of your project and your preferences when choosing between the two.
Remember that (so far) both are compatible, meaning that you can change between the two with the appropriate settings during the development of a project if you need to.
Want to know about specific topics from our professionals? Subscribe here and stay up to date with the latest software trends!