NPM vs Yarn: Which package manager should I use?

NPM and Yarn are two of the most popular package managers among JavaScript and Node.js developers. They make it easier to handle a project's dependencies, i.e., anything on which a project relies, or a piece of code that is necessary for it to function properly. We need them because maintaining the project's dependencies is a challenging task that requires us to install, uninstall, modify or upgrade them.

This article helps you understand what exactly package managers are, how Yarn and NPM compare to each other and which features make working with one better than the other.

Table of contents

What is a package manager?
What is NPM?
    ➤  What is Node Package Manager used for?
What is Yarn?
    ➤  What is Yarn package manager used for?
    ➤  Yarn 2: The latest version of Yarn
Yarn or NPM: Which one is better?
    ➤  Dependencies
    ➤  Security
    ➤  Features
    ➤  Speed
Conclusion

What is a package manager?

Package managers or Package Management Systems are collections of tools that help you install, remove, modify, upgrade, and configure computer programs, as well as audit dependencies and report which ones should be upgraded to mitigate potential vulnerabilities. In today's world, developers rely on packaged software, which means that the software comes within one single file that wraps up everything needed to make that software work on our system. If not everything, it at least contains references to where the system can obtain the information it needs.

To tell a package management system how to deal with what's inside, the packages contain:

• Source code
• Pre-built binaries
• Scripts
• Metadata

The scripts and metadata, for instance, answer questions like:

• Does the software need to be transferred to a separate folder?
• Does it need to be compiled?
• Does it have any dependencies or prerequisites that should be met by installing other software for it to function properly?
• What should be done before or after compiling or moving the files to their final destination?

All of the information needed to answer these questions are bundled up in a package, like Yarn or NPM. Now, let's look at each of these package managers.

What is NPM?

NPM (Node Package Manager) is the standard command-line tool for installing Node.js dependencies and a public database of JavaScript packages, recently acquired by Microsoft. It represents the entry point into the ecosystem of open-source JavaScript modules and the tooling around working with and managing those modules.

What is Node Package Manager used for?

It's commonly used to publish, locate, install, and develop Node programs and applications. For that, it makes use of multiple different components:

• Node Package Manager Registry
• The npmjs.com website
• NPM command-line tool
• NPM, Inc.

NPM Registry

The NPM Registry is an important part of the Node Package Manager ecosystem. Its software registry is a public database of JavaScript code, tools, libraries, and frameworks available to download and use in your applications.

This registry is the largest software registry on the internet, with currently almost 1 million packages available online. Anyone can freely distribute their JavaScript modules by publishing them as packages on NPM. The registry is at its core, connecting millions of developers worldwide with the packages and tools they need to get the work done.

Instead of writing your application entirely from scratch, you can use modules published by Node Package Manager to aid you in your development process. For instance, Express.js is the most popular server framework for Node.js - you can download it from NPM and have a server running in just a few lines of code.

This availability of reusable modules helps speed up Node.js development significantly by reducing the amount of application-specific code you have to write.

npmjs.com

With the incredible volume of packages available in the registry, finding the right one to solve your problem may be challenging. But this is where the NPM website comes in handy.

<a href="www.npmjs.com"; target="_blank">npmjs.com is the web front-end to the Node Package Manager registry. It is the central place to search through all available public packages in the NPM ecosystem.

Each package in the registry has its own page on the Node Package Manager website. You can view package details, usage statistics, links to the packages repository, issue tracker, and other metadata about each package. This information is very helpful when deciding on a package for your application.

Because anyone can publish to the NPM registry, there is no quality guarantee for any particular package. So, when possible, we suggest you choose a popular, actively maintained package that focuses on the problem you are trying to solve more specifically.

Take a look at the list of packages available on npmjs.com

NPM command-line tool

The NPM command-line (CLI) tool is the default package manager bundled with Node.js. It helps you install and manage dependencies. It is responsible for fetching packages from the registry and installing them into your node_modules directory, where they are accessible from your code.

It will also update the dependencies listing in your package.json file when installing new dependencies, which is essential.

It is important to mention that the CLI is useful beyond installing dependencies. It is with you during all stages of the development cycle, helping you create, run, manage, and share Node.js packages and applications. There are a lot of commands available, but here are some of the most important ones:

• npm install - Helps you install dependencies.
• npm init - Used to generate a package.json file.
• npm audit - Asks for a report of known vulnerabilities.
• npm update - Helps you update the installed versions of your dependencies.
• npm uninstall - Removes dependencies from both package.json and the node_modules directory.
• npm run - Help you run scripts set up in your package.json.
• npm start - Runs your project's start script.
• npm publish - Publishes your package to the NPM registry.

Get updates about all the specifics, applications and differences between package managers, frameworks and technologies.

NPM Inc.

NPM Incorporated, The Company is responsible for hosting and maintaining the NPM registry and npmjs.com.

Node Package Manager began as an open-source program created in 2009. Since then, it has grown substantially. In 2014, NPM Inc. was founded to support the Node Package Manager registry as a sustainable free service.

The company's main for-profit product offers private publishing packages to the NPM registry for internal use by companies, teams, and enterprise businesses. However, a paid account is purely optional, and it remains a free service that you are not required to register for.

As already mentioned, the NPM registry is a critical part of the JavaScrip ecosystem, and it is important to understand who is in charge of that ecosystem. Currently, that is NPM Inc., as they control the registry and make decisions about its future.

Read also:

• Choosing the best tech stack for web development 2022
• Recoil vs Redux

What is Yarn?

Learn more about the different JavaScript technologies to enable businesses agility.

Yarn is a JavaScript package and dependency manager built by Facebook and supported by Google, Exponent, and Tilde. It was created to address the shortcomings of older versions of the NPM CLI.

Like NPM, Yarn allows you to use and share code with other developers worldwide, so you don't have to reinvent the wheel, i.e., you can use code that other developers have written and published. This makes it easier for you to build software by allowing you to utilize other developers' answers to specific problems.

Since Yarn is built on top of NPM's registry, packages published on here are also available on Yarn, which helps for a seamless upgrade.

What is Yarn package manager used for?

The role of package managers like Yarn is to allow you to install features quickly and safely; this is also done via command-line instructions.

Whenever a feature is added, it downloads the necessary code from a repository and adds it to the project, as well as adds the necessary references in case the package needs other libraries as a dependency to work properly. Yarn, therefore, is a package manager that installs, changes, and deletes features in web applications. It is also an open-source tool that emerged to improve some issues that Node Package Manager presents, like the slowness and impossibility of installing packages offline.

A particularity of Yarn's architecture is the way of installing the packages, which is done in three distinct stages:

• Resolution - Where Yarn performs lookups on records to check for existing dependencies.
• Cache lookup - Yarn looks for required dependencies in the cache to see if they have already been downloaded. If they don't exist, they are first downloaded to the cache.
• Installation - Finally, the dependencies are installed in the "node_modules "or ".yarn "folder, depending on the version (Yarn 2, which we will cover shortly), and updated in the Yarn control files.

Since Yarn gives you access to the same packages as Node Package Manager, its dependency commands are very similar:

• yarn add - Adds a package to your existing package.
• Yarn init - Starts the package development process.
• yarn install - Installs all of the package's dependencies in the package.json file
• yarn publish - Sends a package to the package management system.
• yarn remove - Removes an unnecessary package from the current package.

Yarn 2: The latest version of Yarn

Yarn 2 is a significant re-architecture and re-write of the Yarn project manager. It is improved on various features from the original Yarn and has newly added ones, defaulting to a unique package install method called Plug’n’Play.

Yarn 2’s improved features include:

• Has more advanced support for workspaces.
• A new command called yarn dlx can be used to run one-off scripts.
• It is highly modular and allows for easy plugin development, being much simpler in case you want to extend it. Note that some of the chore functionalities of Yarn are implemented as plugins.
• The use of Plug’n’Play (PNP) as the default install strategy. PNP is different from the current package installation method, as we will see below.

Yarn or NPM: Which one is better?

Dependencies

Yarn

Yarn version 1 and NPM both handle dependencies in a similar way. They keep the metadata in the package.json file, which is stored in the subdirectory - node_modules.

Yarn no longer tracks dependencies in the node modules subdirectory as of version 2. Yarn 2.0, on the other hand, employs the Plug'n'Play functionality, which creates a single .pnp.cjs file. This file shows a diagram of a project's dependency hierarchy.

Yarn installs dependencies using the yarn command. It installs dependencies concurrently, i.e., in parallel, allowing you to add multiple files simultaneously. When you install dependencies, a lock file is created that stores the precise list of dependencies used. This file is known as yarn.lock .

NPM

Node Package Manager installs dependencies one by one through the npm install command.

It also produces a package-lock.json version lock file. This file is also supported by Yarn, allowing users to move version data from Node Package Manager to Yarn.

Security

Yarn

While downloading packages, Yarn does a security check in the background. It uses the package licensing information to avoid downloading dangerous scripts or causing dependency issues.

To ensure secure data flow, both employ encryption techniques. Yarn validates packages using checksums, whereas NPM utilizes the package-lock.json file's SHA-512 (Secure Hash Algorithm).

NPM

In its earlier versions, security issues were a major concern. Now, every time you install a package, it does a security assessment as of version 6. This helps to avoid vulnerabilities and assures that no dependencies are incompatible.

The npm audit command may also be used to do a manual audit. If it discovers any vulnerabilities, use npm audit fix to repair the problems.

Features

Both package managers share several fundamental features:

• Creating lock files - Both package managers produce a version lock file by default. This file is referred to as yarn.lock in Yarn and package-lock.json in NPM.

• Remote scripts - Using the npx command in NPM and the yarn dlx command in Yarn, you can run scripts remotely in both NPM and Yarn.

• Using workspaces - They both enable workspaces, which allow you to manage dependencies for various projects from a single repository.

As already mentioned above, Yarn's unique features include:

• Plug'n'Play - Yarn produces a single .pnp.cjs file that maps project dependencies instead of utilizing the node modules folder. This results in more streamlined dependency trees and quicker project launch and package installation.

• Zero installation - Works with Plug'n'Play, as it uses the .pnp.cjs file to map packages stored in the offline cache. This allows you to quickly retrieve and install packages that have been saved.

• License check - Yarn has a built-in licensing checker when obtaining and installing packages.

Speed

As previously stated, Yarn installs dependency packages in parallel, whereas Node Package Manager installs them sequentially. As a result, Yarn outperforms when installing bigger files.

Both tools can save dependent files to the offline cache. This allows users to install dependencies even when they are not connected to the internet.

Yarn also uses the Zero install functionality starting with version 2. This functionality leverages the dependency map from the .pnp.cjs file to do an offline dependency install with zero delays.

Read also:

• Learn to configure ESLint and Prettier in React
• Learn how to use Next.js with TypeScript

Conclusion

Considering the differences and features covered between Yarn and NPM, the later is preferable for developers familiar with and happy with its current workflow. It offers a decent user experience while also saving hard drive space.

Yarn has more complex components like Plug'n'Play and Zero installation through Yarn 2. It also improves performance and security, although at the expense of hard disk capacity.

As we can see, both technologies are used in similar ways, so you should analyze the priority of your project and your preferences when choosing between the two.

Remember that (so far) both are compatible, meaning that you can change between the two with the appropriate settings during the development of a project if you need to.