In the past, a simple text editor was sufficient for developers to create and manage most projects. But the WEB has changed radically since then, and today, even a fairly simple project usually has hundreds of scripts with complex nested dependencies that simply can’t be managed in an orderly fashion without an automation tool, which is where a package manager comes into play.
A package manager is a tool that automates the handling of project dependencies in various ways. For example, with the help of a package manager, packages can be installed, uninstalled, updated and upgraded, project settings can be configured, scripts can be run, and much more. All the complex and tedious work is done by the package manager, allowing developers to focus on coding.
npm is Node’s package manager, which was released in 2010 and ushered in a new era of web development. Before that, project dependencies were downloaded and managed manually. npm is what took web development to a higher level.
npm does three main things.
- a website for managing all aspects of the npm experience
- a command line interface (CLI) for interacting with npm via the terminal
However, when most people talk about npm, they are usually referring to the last CLI tool. It is distributed with each new Node release as the default package manager.
But the npm team learned their lesson and quickly filled in the gaps in npm by implementing the missing features.
Here’s a look at a timeline.
- 2010: npm with Node support was released.
- 2016: Yarn was released. It shows better performance than npm. It also generates
yarn.lockfiles, making sharing and exact replication of repo’s easier and predictable.
- 2017: NPM 5 is released. It provides automatically generated package lock
package-lock.jsonfiles to cope with
- 2018: NPM 6 is released with improved security. Now, npm checks for security vulnerabilities before installing dependencies.
- 2020: Yarn 2 and npm 7 are released. Both of these packages have great new features.
- 2021: Yarn 3 is released with various improvements.
Today, these two package managers are neck and neck in the package management race, offering similar features and functionality. However, there are still some differences that help in choosing which one to use.
As mentioned above, npm is pre-installed in Node, so there is generally no need to install npm manually.
Instead, yarn needs to be installed explicitly, first, globally
It can then be used on a per-project basis by setting the desired version in the project. The desired version is set by running the
yarn set version command in the project’s root directory at
berry is the version number to set. If you want to update to the latest version, run.
With yarn, you can use a different version for each project. To do the same with npm, you need to install nvm (Node version manager).
Installing project dependencies
Now, let’s see how to install project dependencies. When you run
npm install, the dependencies are installed sequentially, and a detailed installation log is output in the terminal, though it is not very readable.
To install a package using yarn, run the
yarn command. yarn installs packages in parallel, which is one of the reasons it is faster than npm. If you are using
yarn 1, you will see that the installation logs output by yarn are more concise and better readable. They are arranged in a tree for ease of reading. But this has changed in versions 2 and 3, where the logs are not as intuitive and readable.
So far, it has been seen that npm and yarn have different commands for installing packages.
Many commands are the same for npm and yarn, but there are also many different commands. Let’s start with the same commands.
npm init | yarn init: create a new package
npm run | yarn run: run the script defined in
npm test | yarn test: test a package
npm publish | yarn publish: Publish a package
npm cache clean | yarn cache clean: remove all data from the cache folder
These commands make it easy to switch between the two managers, but there are a few different commands that can cause confusion.
npm install | yarn: install dependencies
npm install [package] | yarn add [package]: install a package
npm install --save-dev [package] | yarn add --dev [package]: install a package as a development dependency
npm uninstall [package] | yarn remove [package]: uninstall a package
npm uninstall --save-dev [package] | yarn remove [package]: uninstall development dependencies
npm update | yarn upgrade: update dependencies
npm update [package] | yarn upgrade [package]: update packages
yarn also has some unique commands that are not the same under npm. For example, the
why command shows the reason a package is needed: it could be a dependency, a local module, or a project dependency.
Speed and Performance
Whenever yarn or npm needs to install a package, they perform a series of tasks. In npm, these tasks are installed package by package, meaning it waits for one package to be fully installed before moving on to the next. By contrast, yarn executes these tasks in parallel, which is a significant performance improvement.
While both managers provide caching mechanisms, yarn seems to do a little better. By implementing a zero-install mode, it is able to install packages in almost no time. It caches each package and saves it on disk, so the next time this package is installed, it is not even necessary to have an Internet connection, since the package is installed offline from disk.
Although yarn has some advantages, yarn and npm are comparable in speed in their latest versions, so they are now considered indistinguishable.
One of the main criticisms of npm is in the area of security, previous versions of npm had several serious security vulnerabilities. However, starting with version 6, npm audits packages during installation and shows if any vulnerabilities are found. This check can be performed manually by running
npm audit on the installed package, and if any vulnerabilities are found, npm will give the appropriate security advice. If a security vulnerability is found, you can run
npm audit fix to fix the package vulnerability.
In terms of security, both yarn and npm use cryptographic hashing algorithms to ensure package integrity.
As with the commands described above, there are some features that are common to both npm and yarn, but there are also some differences, and the main ones are described below.
Locked files generated by ####
package.json file, where both npm and yarn keep track of the project’s dependencies, the version number is not always exact; instead, a range of versions can be defined. In this way, it is possible to select a major and minor version of a package, but allow npm to install the latest patches that may fix some bugs.
In the ideal state of semantic version control, the patch version would not contain any breaking changes. But the display always differs from the ideal, causing this not to be the case in real life. npm uses a strategy that may result in two machines ending up with the same
package.json file, but with different versions of packages installed, which buries the problem of possible bugs.
To avoid package version mismatches, the exact installed version is fixed in the package lock file, and each time a module is added, npm and yarn create (or update) a
yarn.lock file, respectively.
Workspaces allow having a
monorepo to manage dependencies across multiple projects, which means having a single top-level root package that contains multiple sub-packages called workspaces.
Running scripts remotely
npx command is used to run scripts from
. /node_modules/.bin to run scripts. It also allows packages to be executed from the npm registry without having to install them in project dependencies. For example, a new React application can be created by running the following command.
In yarn, the same result can be obtained using the equivalent
The following section describes the features that are unique to yarn.
Zero installs store the cache in the
.yarn folder in the project directory. When using commands such as
yarn add <package>, yarn creates a
.pnp.cjs file that contains the dependency hierarchy that Node uses to load project packages. As a result, they can be accessed at almost zero time.
Plug and Play
Plug-and-play is another installation strategy. Instead of generating a
node_modules directory and leaving the resolution to Node, yarn generates a single
.pnp.cjs file that maps packages to their locations on disk and their list of dependencies. This feature leads to faster project startups, better optimized dependency trees, faster install times, and of course no need for the
yarn includes a built-in license checker that can be used in different scenarios when developing applications.
Select which package manager
The similarities and differences between npm and yarn have been discussed above, but it is not yet determined which one is better and which one should be chosen, but as always, it is the right one for the right team or project that counts.
Here is a recommended recommendation.
- Choose npm : if you are happy with your current workflow, don’t want to install additional tools, and don’t have a lot of disk space.
- Choose yarn: if you want some great features like plug-and-play, need some features missing in npm, and have enough disk space
If it’s still hard to make a clear decision between npm and yarn, then don’t worry about it, use whichever one you want and you’ll basically be fine.
This article compares two of the most popular package managers on the market, both of which have their own pros and cons, to choose the most suitable one for your project.