Developers often find themselves in a dilemma when trying to select the best package managers for building, using, reusing, managing, and sharing packages with others.
We’ll be comparing these two side by side so that you can make the right decision on the one to go for when working on your projects.
Before we start comparing them in detail, let’s get some background information that will assist in this npm vs. Yarn debate.
What is npm?
What is Yarn?
Since then, npm has undergone several improvements to fix some of its inefficiencies. As a result, as we’ll demonstrate in this blog post, npm and Yarn are now in a neck-to-neck race over which package manager trumps the other.
In an attempt to take Yarn a notch higher, the core team behind its development released Yarn 2 in January 2020. While Yarn 2 brings several improvements on the table, it has been heavily criticized among the developer community, and even Facebook engineers have publicly washed their hands from using it.
So, for the rest of this article, we’ll be discussing Yarn 1, and simply referring to it as Yarn.
Let’s now compare Yarn vs. npm similarities and differences.
Choosing a technology that is widely adopted can assist you in getting help faster when experiencing any implementation challenges. While Yarn is newer as compared to npm, it seems to be catching up quickly in popularity.
For example, if we compare the number of downloads between npm and Yarn in the past 5 years, we can see that npm is the clear winner here.
However, if we use the extent of their GitHub activity to compare the popularity of the two tools, we notice a totally different story.
As you can see on the above screenshot, taken on August 6th, 2020, Yarn, with nearly 12 times the stars and 3 times the forks, maybe holding the lead.
Installing npm seems much easier than that of Yarn—npm comes already bundled with your Node.js installation, so there’ll be no need to install it.
Yarn is available as an npm package. So, you can install it by running the following command on the terminal:
3. Managing dependencies
However, the Yarn core team does not recommend installing it via npm. Depending on your system requirements, you can go for any of these installation options.
Yarn and npm have more or less similar ways of managing dependencies. They both provide the package.json file that exists at the root of the project’s working directory. This file keeps all the relevant metadata associated with the project. It assists in managing the project’s dependencies version, scripts, and more.
Both the package managers store dependency files into the node_modules folder. However, in Yarn 2, the folder will no longer be supported, by default.
Furthermore, both Yarn and npm provide an autogenerated lock file that has the entries of the exact versions of the dependencies used in the project.
In Yarn, it is called yarn.lock while in npm, it is called package-lock.json. As the name implies, this file locks the dependencies to their stipulated versions during the installation process, after establishing the versioning parameters in the package.json file.
When installing a dependency, the lock file ensures the same file structure in node_modules is maintained across all environments. This provides determinism, supports collaboration with other developers, and prevents code breakages from installing new or incompatible dependencies.
Whereas Yarn included the lock file feature in its first version, npm tried to overcome this shortcoming and introduced it later in version 5 (May 2017).
While Yarn and npm follow a similar style of managing dependencies, it’s advised not to use them together, unless they are pointed at different registries from their default installations. If used together, they can create conflicts, particularly due to resolution inconsistencies arising from unsynchronized lock files.
Nonetheless, Yarn recently announced a new feature that increases the awareness between the two package managers and allows developers to transition from npm to Yarn smoothly.
This feature allows developers to import and install dependencies from the npm’s package-lock.json file. It is a useful improvement, especially for those in mixed yarn/npm environments or intending to migrate their existing projects to Yarn.
To use this feature, just run the yarn import command in a repository having the package-lock.json file. As a result, Yarn will apply the resolution parameters in the package-lock.json file to generate a corresponding yarn.lock file.
Similarly, npm is also working to enable developers to play nicer with Yarn. In the upcoming v7, npm will make updates to the package-lock.json file to allow the handling of yarn.lock files. This will reduce the friction often experienced when switching between npm and Yarn (or using both).
The performance of your package manager is an important consideration when managing a large number of packages. Since development is arduous, you need a performant tool that will not weigh you down.
As earlier mentioned, one of the main reasons why Yarn was developed was to overcome the performance issues with npm. So, initially, Yarn was the clear winner in terms of performance.
However, in recent times, especially from v5 and v6, npm has been considerably bridging the gap with Yarn. While Yarn is still faster in most cases, npm is quickly tightening this competition.
Several benchmark tests have been done to compare the speed of these two stacks. For example, here is a table that summarizes the results of one test that compared the speed of installing some simple dependencies under different conditions:
As you can see above, Yarn clearly trumped npm in performance speed. During the installation process, Yarn installs multiple packages at once as contrasted to npm that installs each one at a time.
Reinstallation was also pretty fast when using Yarn. It’s because of its offline mode feature that uses a caching mechanism to allow for fast download of previously downloaded packages. While npm also supports the cache functionality, it seems Yarn’s is far much better.
Security is another serious bone of contention when performing a Yarn vs. npm review. While Yarn was initially regarded to be more secure, the npm team has made commendable comebacks with the introduction of significant security improvements.
With npm v6, security is built-in. If you try installing code with a known security vulnerability, npm will automatically issue a warning. Also, a new command, npm audit, has been introduced to assist you in recursively assessing your dependency tree to identify anomalies.
On the other hand, some of Yarn’s exciting security features include using checksum to verify the integrity of every package and the ability to check licenses of your installed packages.
Performing an upgrade to the latest package version available is similar in both tools, albeit with some CLI command differences.
Here is how to update Yarn dependencies
Here is how to update npm dependencies
In both tools, if you do not indicate a package name, all the project’s dependencies will be updated to their latest version. This will be based on the version ranges defined in the package.json file. Also, the package-lock.json file or the yarn.lock file will be modified, based on the tool you’re using.
On the other hand, if you indicate a package name, only the specified package will be updated.
7. CLI commands
Developers usually spend a lot of time interfacing with terminals; it’s where they live. Therefore, another vital point for comparison is the CLI.
Let’s look at some commands common to both tools:
Let’s look at some commands different in both tools:
Let’s look at some commands present in one tool but absent in another:
In terms of the output of running the CLI commands, Yarn delivers a cleaner output (that also comes with emojis, unless you’re on Windows).
For example, here is a screenshot of running a simple install command using both tools:
As you can see above, npm generates a lot of noise, by default. On the contrary, Yarn’s output is cleaner and less verbose.
Yarn drew a lot of inspiration from npm, especially by using its shortcomings to create a package management solution that developers would love. Likewise, npm’s core team has continued to punch back with every new release—updating its features to meet the needs of developers.
So, presently, we can see that the two package managers are closer together in terms of functionalities, almost reaching feature parity. Nonetheless, there are a few twists and turns that can make you opt for one over the other.
Ultimately, your choice between npm vs. Yarn will depend on your requirements, tastes, and preferences.
Are you letting open-source vulnerabilities go undetected?
- Get real-time alerts on security vulnerabilities
- Ensure the license compliance of open source components.
- Receive automated open-source inventory reports for every build or project.
Get it now and join thousands of developers who’ve already gained full visibility over their open-source components.