Eylam Milner
Dec 08 · 6 min read
npm and Yarn are two package managers developers swear by. Both these package managers are at the top in this space. They are constantly and aggressively trying to one-up each other in the battle for supremacy over this space. Both provide similar features. However, they have some essential differences that you should know before deciding to go with either one.
npm came out in 2010 and quickly became popular among javascript developers because it took on the tedious tasks of package installation/uninstallation, update, and dependency management. However, it had some flaws that had to do with performance and security.
It was still smooth sailing for npm as a default package manager till Yarn emerged in 2016. Yarn was hailed as the npm replacement because it addressed the many flaws of npm. Developers who were mainly concerned with npm’s shortcomings quickly gravitated towards this new package manager from Facebook. npm was then forced to address its flaws and also released an online marketplace for packages. As of today, npm remains the more popular package manager of the two. However, developers are still pretty divided and find themselves taking a lot of time to decide which package manager to go with.
npm stands for node package manager. npm ships with every Node.js installation as the default package manager and gets installed along with it. npm first came out in 2010 and has since evolved into a comprehensive package manager. npm has three components: an online portal, an inventory of public and paid packages, and the most commonly used npm CLI.
Yet Another Resource Negotiator, abbreviated as Yarn, is an alternative to npm. Yarn can be installed as a package through npm. Developed by Facebook in 2016, Yarn addressed many security and performance issues that riddled npm then. Yarn was quickly adopted by developers and became extremely popular. Since then, Yarn has seen a steady climb in adoption.
Packaged with a lock file that automatically locks package versions across all systems, Yarn was considered more secure and reliable. And, with faster installation speed, it has been able to take the fight to npm. Yarn and npm are in a cutthroat battle against each other.
npm has done reasonably well in maintaining its reign over the package management space by innovating and providing similar features that made Yarn appealing to developers. npm has been able to keep up with Yarn by releasing updates to quicken package installation and stabilize dependencies. Since both these tools are pretty similar and can be used as alternatives to each other.
Let’s dive into key differences that could make you choose one of these package managers over the other.
While npm is installed by default with Node.js, to install Yarn, you can use the npm install command just like you’ll use it to install any other package.
You begin by installing yarn globally using the following command.
npm install -g yarn
Alternatively, you can use any native package manager to install Yarn.
Once installed globally, you can install desired yarn versions on each project by running the following command in your project’s root folder.
yarn set version [version_name]
The version can then be updated when needed using the following command.
yarn set version latest
To use different versions of npm in different projects, you will need nvm (node version manager).
Yarn and npm have many identical commands like npm init | yarn init for creating a new package, npm run | yarn run for running scripts defined in the package.json, and npm test | yarn test for testing a package, etc.
However, package and dependency installation is where the commands somewhat differ. In npm, you can install a package using npm install [package name], and to install dependencies, you can use npm install.
In Yarn, to install a package, you have to use yarn add [package name], and to install dependencies, you can use yarn.
Apart from the tangible differences, there is also a significant difference in how both package managers install dependencies. While npm installs package dependencies sequentially, which slows down package installation, yarn installs them in parallel, speeding up the process. Yarn also provides more comprehensive and readable output logs that help developers understand package dependencies, whereas npm output logs can be hard to read.
Performance is an essential factor in deciding which tool to choose. Yarn was developed to address the performance issues that npm was plagued with. Over time, npm was able to bridge the performance gap with updates and new releases. However, Yarn is still faster, and in a production environment, even seconds matter.
The difference in performance is mainly due to the mechanics behind the scenes of how these package managers work. As mentioned previously, npm installs packages and dependencies in sequential order. That means if you had to install five packages and the first package took a lot of time to install, it would delay the installation of all the packages. This is less than ideal. Yarn, however, installs packages in parallel, which means the ones that install quicker will be available for developers to use. In contrast, the ones that are a tad slower will be made available a bit later.
Although both npm and yarn enable offline caching for quicker installation, Yarn does this better than npm. Yarn comes with a feature called zero installs. Zero installs helps store packages in your project directory. When you run the command to install a package, yarn creates a .pnp.cjs file containing dependency hierarchies used by Node-js to install the packages, making package installation extremely fast.
Both yarn and npm offer lock file generation. A lock file helps you define the versions of all the dependencies required as part of your project and ensures that all the new installations of said dependencies adhere to the versions mentioned inside the package.json file. This way, teams can encourage collaboration and reduce the chances of code failure due to the installation of newer, untested versions. This file is called yarn.lock in yarn while its npm counterpart is called package-lock.json.
Both yarn and npm similarly manage dependencies. However, it’s ill-advised to use both of them together. Using both package managers together can lead to inconsistencies due to two different lock files. Yarn has recently introduced a feature that allows you to run yarn import in the repository containing the package-lock.json, thereby creating a yarn.lock file using the resolution parameters defined in the npm lock file. This can help teams use both package managers in their environment and to migrate to yarn altogether. npm is working on a similar feature.
A few years ago, npm wasn’t considered secure as it could not address vulnerabilities that could sneak into your system via malicious packages. Since npm wasn’t very good at scanning the dependency tree for all packages, it was easier for attackers to exploit vulnerabilities in one of the many packages. Yarn was an answer to these security pitfalls.
However, npm has evolved over the last couple of years and is now much more secure. npm has a new command called npm audit, allowing developers to scan the dependency tree recursively and look for any anomaly. npm can now also flag packages with known vulnerabilities.
Both npm and Yarn use checksum to ensure any package being installed is secure. The checksum of a package will be stored in the lock file and referred to upon future installation of the same package to ensure integrity.
Package managers are essential for web development. These two competitors are at the top of their game, and both are pretty good. npm and yarn are both easy to use and provide enough insight into your packages and their dependencies for you to be less worried about security. Both package managers are quite similar and have minor differences. To make an informed decision, you should do your research and try both of them out. Ultimately, you won’t know until you try. Pick one and quickly get started with what matters most – coding.
Developers using third-party and community-built products is routine practice with vulnerabilities stemming…
Developing modern applications can be highly complex due to several disparate services…
On December 9th, the Log4Shell vulnerability (CVE-2021-44228) was published in a GitHub repository and made public….
