npm vs Yarn - Which Package Manager Should You Use?

By Cody Arsenault
Published on December 14, 2017
npm vs Yarn - Which Package Manager Should You Use?

npm and Yarn are two well-known JavaScript package managers. If you're not familiar with what a package manager does, it essentially is a way automate the process of installing, updating, configuring, and removing pieces of software (packages) retrieved from a global registry. In this post, we'll be going over what differences exist between two of the most popular JavaScript package managers - npm and Yarn.

What is npm?

The JavaScript node package manager, typically abbreviated in all lowercase as npm, is the default method for managing packages in the Node.js runtime environment. It relies upon a command line client and a database made up of public and premium packages known as the the npm registry. Users can access the registry via the client and browse the many packages available through the npm website. Both npm and its registry are managed by npm, Inc.

What is Yarn?

Yarn was developed by Facebook in attempt to resolve some of npm's shortcomings. Yarn isn't technically a replacement for npm since it relies on modules from the npm registry. Think of Yarn as a new installer that still relies upon the same npm structure. The registry itself hasn't changed, but the installation method is different. Since Yarn gives you access to the same packages as npm, moving from npm to Yarn doesn't require you to make any changes to your workflow.

How to install npm

npm is distributed with Node.js therefore once you download Node.js you will automatically have npm installed and ready to use.

Once Node.js has been installed, use the following commands to ensure installation was successful:

node -v
npm -v

How to install Yarn

You have two options. If you want to install Yarn using npm, enter the following command:

npm install yarn --global

However, the developers advise against using npm to install Yarn. A better alternative is to install Yarn using your native OS package manager. For example, if you were using brew on a Mac, you'd enter:

brew update
brew install yarn

If you'd like to try out Yarn on an existing npm project, just run:

yarn

You should then see your node_modules folder displayed using Yarn's resolution algorithm.

Comparing Yarn vs npm

Yarn has a few characteristics that set it apart from npm (especially version of npm previous to 5.0). A few of these include the following.

The yarn.lock File

Managing version numbers in package.json can get messy sometimes. However, the yarn.lock file helps alleviate the mess. Whenever you add a new module, Yarn updates a yarn.lock file. Similar to the Gemfile.lock feature in Ruby, the yarn.lock file ensures that the exact same package gets installed on every device. These lockfiles are called as such because they "lock" dependencies to their specific versions during installation. A lockfile consists of ordered keys to ensure minimal changes to the file structure in node_modules across all machines.

In previous versions of npm, the same thing was accomplished with the shrinkwrap command. However, the shrinkwrap file doesn't get generated automatically, and it requires ongoing maintenance. npm has since improved upon npm-shrinkwrap with the introduction of the package-lock.json file. Since the yarn.lock file handles everything automatically, that means less work for you.

Package installation

When installing a package, npm performs the necessary steps sequentially, meaning that each package must be fully installed before moving to the next. However, Yarn has the power to perform multiple installation steps at once, which drastically speeds up the process.

This is similar to the parallelism seen in HTTP/2.

Speed

Yarn was always much faster than any of the npm versions below 5.0. The team at npm announced that npm 5.0 would be 5x faster than its predecessor for certain operations. However, as shown by the results below from Scott Logic, Yarn still appears to be faster than npm 4 and 5 when testing with some fairly simple dependencies.

Furthermore, npm 5 doesn't seem to provide much greater speeds than it's predecessor. This may not mean much when you're installing something like the gulp package, but it can make a huge difference in larger projects. Thanks to Yarn, bigger builds no longer necessarily entail longer build times.

If you want to run your own tests, Artberri has created npm-yarn-benchmark, a tool that lets you compare npm vs Yarn performance.

Security

A major problem with npm is that it automatically runs code from dependencies and permits packages to be added on the fly, While this feature comes with its conveniences, it also creates security vulnerabilities. Since Yarn only installs from your yarn.lock or package.json files, it's considered to be more secure, which is increasingly important in today's world. Yarn also makes use of checksums before installation to ensure the integrity of each package.

Command differences

On top of its functional advantages, Yarn comes with several new or altered commands. Likewise, it dumped and altered some old npm ones. Here's a look at the command differences between Yarn and npm.

Installing

While the npm install command installs dependencies from the package.json file, the Yarn equivalent, yarn, installs dependencies listed in the yarn.lock file.

yarn why

If you're wondering why a certain package was installed, the yarn why command will

search the dependency graph to help you figure it out.

Adding packages

The yarn add <package> command lets you add dependencies just like the npm install <package> command, but it also automatically saves references to the packages in the package.json file.

Licenses

This command lists all of the licenses of your installed packages. Similarly, the command yarn licenses generate-disclaimer outputs a disclaimer with the content of all your licenses, which is required in some cases. The feature is currently not available in npm.

Upgrading packages

Like npm update, the yarn upgrade [package] command lets you upgrade packages to their most recent version by updating your yarn.lock files. It also updates any related tags that are defined in package.json.

yarn generate-lock-entry

If you want to manually generate a yarn.lock file based on dependencies defined in package.json, you can use the yarn generate-lock-entry command. It's basically the same as npm shrinkwrap, but it should be used carefully since the yarn.lock file gets rewritten automatically every time you add or upgrade dependencies with yarn add or yarn upgrade.

For a full list, Infinite Red has made a side-by-side comparison of npm commands and their Yarn equivalents.

npm improvements in version 5.0

With the release of npm 5, three major improvements were achieved:

  1. Versioning: npm 5 introduced the package-lock.json file and got rid of npm-shrinkwrap. This helped improve variations in dependency versions between installations
  2. Faster speeds: npm 5 is faster than its predecessors although as shown above, still isn't able to beat Yarn in terms of performance
  3. Save by default: In previous versions, users were forced to add the --save flag while installing a new package. Now this is done by default.

npm vs Yarn: Which is more reliable?

Upon Yarn's initial public release, users complained about several performance problems, but those issues have since been resolved. Since Yarn is supported by some of the world's largest tech companies, bugs are identified and taken care of fairly quickly. Consequently, Yarn should be stable for everyone at this time. If you're using Yarn for a project and you run into problems, you can always switch back to npm and reinstall your packages with little trouble.

Yarn's drawbacks

Although Yarn is still commonly considered an improvement over npm, it isn't without its own problems. For example, using npm and Yarn together can create conflicts. To avoid issues, it's recommended to have npm and Yarn pointed at different registries than their defaults to facilitate a reliable continuous delivery pipeline with your own repository. Despite enabling faster installs, Yarn also adds to your disk space usage since it stores dependencies locally.

The fact that Yarn is still young naturally makes some people skeptical especially considering that npm has been the standard for so long. The bugs that Yarn had in the beginning may have also left a bad taste in some developers' mouths, although Yarn now is in a much better place than it was 12 months ago.

Despite its imperfections, Yarn is slowly overtaking npm as more developers realize its benefits. From faster processing to stronger security, Yarn's superiority over npm is undisputed. In terms of popularity on GitHub, Yarn currently has close to 30,000 stars.

While npm has about half of that amount.

Other options

Yarn isn't the only alternative to npm. Some developers consider pnpm to be an even better package manager. Based on benchmarks performed by Intoli, pnpm is indeed faster than both Yarn and npm in many cases. It also doesn't eat up disk space like Yarn does. That's because pnpm circumvents having to copy locally cached source files by leveraging hardlinks and symlinks.

This approach, however, has its own flaws, which is why the feature was left out of Yarn in the first place. On the other hand, pnpm boasts many of the same features as Yarn such as offline mode and deterministic installs. If speed is your top priority, then you might want to give pnpm a chance.

Summary

Yarn is becoming increasingly popular thanks to its superior performance, easy installation, and numerous convenient features. Nonetheless, npm is still around, and working on making improvements with each new version release.

If you've yet to give it a spin, try using Yarn instead of npm for your next project and see what you think. If you're installing newer software, you might want to stick with npm for now since it's tried and true. However, if you get tired of npm's slow installation times, then it might be time to make the move to Yarn.

  • Share

Supercharge your content delivery 🚀

Try KeyCDN with a free 14 day trial, no credit card required.

Get started

Comments

Comment policy: Comments are welcomed and encouraged. However, all comments are manually moderated and those deemed to be spam or solely promotional in nature will be deleted.
  • **bold**
  • `code`
  • ```block```
KeyCDN uses cookies to make its website easier to use. Learn more