Yarn vs npm - The State of Node.js Package Managers
Let's take a look at the state of Node.js package managers, what they can do for you, and when you should pick which one!Yarn - the new kid on the block
Fast, reliable and secure dependency management- this is the promise of Yarn, the new dependency manager created by the engineers of Facebook.But can Yarn live up to the expectations?
There are several ways of installing Yarn. If you have npm installed, you can just install Yarn with npm:npm install yarn --global
However, the recommended way by the Yarn team is to install it via your native OS package manager- if you are on a Mac, probably it will be brew :brew update brew install yarn Yarn Under the Hood
Yarn has a lot of performance and security improvements under the hood. Let's see what these are!Offline cache
When you install a package using Yarn (using yarn add packagename ), it places the package on your disk. During the next install, this package will be used instead of sending an HTTP request to get the tarball from the registry.
Your cached module will be put into ~/.yarn-cache , and will be prefixed with the registry name, and postfixed with the modules version.
This means that if you install the 4.4.5 version of express with Yarn, it will be put into ~/.yarn-cache/npm-express-4.4.5 .Deterministic Installs
Yarn uses lockfiles (yarn.lock) and a deterministic install algorithm. We can say goodbye to the "but it works on my machine" bugs.
The lockfile looks like something like this:
It contains the exact version numbers of all your dependencies - just like with an npm shrinkwrap file.
Yarn uses lockfiles & deterministic install algorithm. Say goodbye to “but it works on my machine” bugs! #nodejsLicense checks
Yarn comes with a handy license checker, which can become really powerful in case you have to check the licenses of all the modules you depend on.
Yarn is still in its early days, so it’s no surprise that there are some questions arising when you start using it.What’s going on with the default registry?
By default, the Yarn CLI uses a different registry, and not the original one: https://registry.yarnpkg.com . So far there is no explanation on why it does not use the same registry.
Does Facebook have plans to make incompatible API changes and split the community?Contributing back to npm? One the most logical questions that can come up when talking about Yarn is: Why don’t you talk with the CLI team at npm, and work together?
If the problem is speed, I am sure all npm users would like to get those improvements as well.
When we talk about deterministic installs, instead of coming up with a lockfile, the npm-shrinkwrap.json should have been fixed.Why the strange versioning? In the world of Node.js and npm, versions starts with 1.0.0.
At the time of writing this article, Yarn is at 0.18.1 .
Is something missing to make Yarn stable? Does Yarn simply not follow semver?
Yarn is at 0.18.1. Is something missing to make it stable? Does it follow SemVer? via @RisingStacknpm 4
npm is the default package manager we all know, and it is bundled with each Node.js release since v7.4.Updating npm
To start using npm version 4, you just have to update your current CLI version:npm install npm -g
At the time of writing this article, this command will install npm version 4.1.1 , which was released on 12/11/2016. Let's see what changed in this version!Changes since version 3 npm search is now reimplemented to stream results, and sorting is no longer supported, npm scripts no longer prepend the path of the node executable used to run npm before running scripts, prepublish has been deprecated - you should use prepare from now on, npm outdated returns 1 if it finds outdated packages, partial shrinkwraps are no longer supported - the npm-shrinkwrap.json is considered a complete manifest, Node.js 0.10 and 0.12 are no longer supported, npm doctor , which diagnose user's environment and let the user know some recommended solutions if they potentially have any problems related to npm
As you can see, the team at npm was quite busy as well - both npm and yarn made great progress in the past months.Conclusion
It is great to see a new, open-source npm client - no doubt, a lot of effort went into making Yarn great!
Hopefully, we will see the improvements of Yarn incorporated into npm as well, so both users will benefit from the improvements of the others.Yarn vs. npm - Which one to pick?
If you are working on proprietary software, it does not really matter which one you use. With npm, you can use npm-shrinkwrap.js , while you can use yarn.lock with Yarn.
If you are working on proprietary software, it doesn’t matter if you use @yarnpkg or @npmjs! #nodejsHowever, when it comes to modules published to npm, I highly recommend going with npm, without any shrinkwrap file.
Imagine that you are the author of Express. Express currently has 248 dependencies.
Whenever those dependencies are updated, you have to update your yarn.lock file, and publish it to the registry. If you fail to do that, important fixes (even the ones including security patches) won't be accessible for your consumers.Let application developers lock their dependencies, but do not lock version in your modules.
本文标题：Yarn vs npm - The State of Node.js Package Managers