未加星标

Yarn vs npm - The State of Node.js Package Managers

字体大小 | |
[前端(javascript) 所属分类 前端(javascript) | 发布者 店小二05 | 时间 2017 | 作者 红领巾 ] 0人收藏点击收藏
With the v7.4 release, npm 4 became the bundled, default package manager for Node.js. In the meantime, Facebook released their own package manager solution, called yarn.

Let's take a look at the state of Node.js package managers, what they can do for you, and when you should pick which one!

Yarn - the new kid on the block

Fast, reliable and secure dependency management- this is the promise of Yarn, the new dependency manager created by the engineers of Facebook.

But can Yarn live up to the expectations?
Yarn vs npm - The State of Node.js Package Managers
Installing Yarn

There are several ways of installing Yarn. If you have npm installed, you can just install Yarn with npm:

npm install yarn --global

However, the recommended way by the Yarn team is to install it via your native OS package manager- if you are on a Mac, probably it will be brew :

brew update brew install yarn Yarn Under the Hood

Yarn has a lot of performance and security improvements under the hood. Let's see what these are!

Offline cache

When you install a package using Yarn (using yarn add packagename ), it places the package on your disk. During the next install, this package will be used instead of sending an HTTP request to get the tarball from the registry.

Your cached module will be put into ~/.yarn-cache , and will be prefixed with the registry name, and postfixed with the modules version.

This means that if you install the 4.4.5 version of express with Yarn, it will be put into ~/.yarn-cache/npm-express-4.4.5 .

Deterministic Installs

Yarn uses lockfiles (yarn.lock) and a deterministic install algorithm. We can say goodbye to the "but it works on my machine" bugs.

The lockfile looks like something like this:


Yarn vs npm - The State of Node.js Package Managers

It contains the exact version numbers of all your dependencies - just like with an npm shrinkwrap file.

Yarn uses lockfiles & deterministic install algorithm. Say goodbye to “but it works on my machine” bugs! #nodejs

License checks

Yarn comes with a handy license checker, which can become really powerful in case you have to check the licenses of all the modules you depend on.


Yarn vs npm - The State of Node.js Package Managers
Potential issues/questions

Yarn is still in its early days, so it’s no surprise that there are some questions arising when you start using it.

What’s going on with the default registry?

By default, the Yarn CLI uses a different registry, and not the original one: https://registry.yarnpkg.com . So far there is no explanation on why it does not use the same registry.

Does Facebook have plans to make incompatible API changes and split the community?

Contributing back to npm? One the most logical questions that can come up when talking about Yarn is: Why don’t you talk with the CLI team at npm, and work together?

If the problem is speed, I am sure all npm users would like to get those improvements as well.

When we talk about deterministic installs, instead of coming up with a lockfile, the npm-shrinkwrap.json should have been fixed.

Why the strange versioning? In the world of Node.js and npm, versions starts with 1.0.0.

At the time of writing this article, Yarn is at 0.18.1 .

Is something missing to make Yarn stable? Does Yarn simply not follow semver?

Yarn is at 0.18.1. Is something missing to make it stable? Does it follow SemVer? via @RisingStack

npm 4

npm is the default package manager we all know, and it is bundled with each Node.js release since v7.4.

Updating npm

To start using npm version 4, you just have to update your current CLI version:

npm install npm -g

At the time of writing this article, this command will install npm version 4.1.1 , which was released on 12/11/2016. Let's see what changed in this version!

Changes since version 3 npm search is now reimplemented to stream results, and sorting is no longer supported, npm scripts no longer prepend the path of the node executable used to run npm before running scripts, prepublish has been deprecated - you should use prepare from now on, npm outdated returns 1 if it finds outdated packages, partial shrinkwraps are no longer supported - the npm-shrinkwrap.json is considered a complete manifest, Node.js 0.10 and 0.12 are no longer supported, npm doctor , which diagnose user's environment and let the user know some recommended solutions if they potentially have any problems related to npm

As you can see, the team at npm was quite busy as well - both npm and yarn made great progress in the past months.

Conclusion

It is great to see a new, open-source npm client - no doubt, a lot of effort went into making Yarn great!

Hopefully, we will see the improvements of Yarn incorporated into npm as well, so both users will benefit from the improvements of the others.

Yarn vs. npm - Which one to pick?

If you are working on proprietary software, it does not really matter which one you use. With npm, you can use npm-shrinkwrap.js , while you can use yarn.lock with Yarn.

If you are working on proprietary software, it doesn’t matter if you use @yarnpkg or @npmjs! #nodejs

However, when it comes to modules published to npm, I highly recommend going with npm, without any shrinkwrap file.

Imagine that you are the author of Express. Express currently has 248 dependencies.

Whenever those dependencies are updated, you have to update your yarn.lock file, and publish it to the registry. If you fail to do that, important fixes (even the ones including security patches) won't be accessible for your consumers.

Let application developers lock their dependencies, but do not lock version in your modules.

本文前端(javascript)相关术语:javascript是什么意思 javascript下载 javascript权威指南 javascript基础教程 javascript 正则表达式 javascript设计模式 javascript高级程序设计 精通javascript javascript教程

主题: Node.jsFacebook
分页:12
转载请注明
本文标题:Yarn vs npm - The State of Node.js Package Managers
本站链接:http://www.codesec.net/view/522580.html
分享请点击:


1.凡CodeSecTeam转载的文章,均出自其它媒体或其他官网介绍,目的在于传递更多的信息,并不代表本站赞同其观点和其真实性负责;
2.转载的文章仅代表原创作者观点,与本站无关。其原创性以及文中陈述文字和内容未经本站证实,本站对该文以及其中全部或者部分内容、文字的真实性、完整性、及时性,不作出任何保证或承若;
3.如本站转载稿涉及版权等问题,请作者及时联系本站,我们会及时处理。
登录后可拥有收藏文章、关注作者等权限...
技术大类 技术大类 | 前端(javascript) | 评论(0) | 阅读(112)