NPM vs Yarn - Help me decide

Introduction

Developers are usually caught in a dilemma when choosing between package managers to use in building and managing project dependencies. Two popular package managers in the ecosystem are NPM (Node package manager) and Yarn (package manager created by Facebook). We’ll be looking at these package managers side by side considering the following features:

• Performance
• Security
• Support
• Ease of use

At the end of this article, you’ll be able to decide which package manager to use when building your project.

Performance

Performance has been a bone of contention when comparing these two stacks, NPM ( Node package manager) and Yarn (dependency manager created by Facebook). It was believed since it’s introduction, that Yarn had better performance as opposed to NPM. In recent times, NPM (version 6.4.1 ) has bridged the gap with Yarn (version 1.9.4) in terms of performance. In this section of this article, we’ll compare the performance of these stacks and also their CLI syntax, offline capabilities and ability to install packages in parallel.

Module installation speed

This is where we’ll put package installation speeds to the test using a benchmark performed by appleboy. In this benchmark, we’ll be performing speed test with the latest version of Node v10.11.0 at the time of this writing. You can perform these tests yourself by cloning this repository. The result of the test is stated in the table below:

test case	npm install	npm ci	yarn
install without cache (without node_modules)	3m40s	3m10s	1m1s
install with cache (without node_modules)	1m1s	18s	2s
install with cache (with node_modules)	54s	21s	2s
install without internet (with node_modules)	-	-	2s

Yes! You saw that. Yarn installs without internet while NPM doesn’t. With those results, we don’t need a mother confessor to decide which of the package managers are faster.

CLI syntax Let’s examine the CLI syntax provided by NPM and Yarn. Note that some commands appear in both package managers but do not necessarily do the same thing.

Yarn	NPM
yarn: This command is used to install all the packages in a package.json file.	npm install: This is used by NPM to install packages from the package.json file.
yarn run: This command is used to run script object specified in the package.json file.	npm run: npm run is an alias for the command npm run-script, which does the same thing thing as its Yarn equivalent.
yarn add [package]: This command is used to install a package	npm install [package]: This installs a package from NPM.
yarn remove [package]: This command is used to remove a package.	npm uninstall [package]: This is the NPM equivalent for removing or uninstalling packages.
yarn version: This command is used to update the version of your application using semantic versioning.	npm version: This command lists the version of your application, Node, NPM as well as other Node dependencies.
yarn upgrade: This command upgrade all the packages in the package.json file.	NPM has an equivalent but is an installed package. [npm-upgrade](https://www.npmjs.com/package/npm-upgrade).
yarn self-update: This command is used to update Yarn to the latest available version. At the time of this writing, this command is not yet available.	NPM has no equivalent command as at the time of this writing.

Let’s look at a few of the differences between NPM and Yarn’s CLI syntax in detail:

• yarn version vs npm version: These commands are the same but yield different outputs. Yarn’s use of the version keyword is in terms of updating the tag of application in semver (semantic versioning) format, whereas NPM displays a list portraying the version of the current project, Node, NPM, and other dependencies.
• yarn upgrade vs npm-upgrade: The upgrade keyword, updates all the packages specified in the package.json file for Yarn. NPM doesn’t have an equivalent CLI command but has a global utility module which is installed by running npm i -g npm-upgrade, which is used to update all the packages in package.json by running npm-upgrade.

Offline download Yarn’s offline download feature is one cool feature. How does it work? packages installed using Yarn are installed on the user disk. Although many may condemn this practice, it boycotts the overhead of having to send HTTP requests to get packages which have been installed before. That way, without internet, yarn or yarn add [package_name] installs your packages. NPM, on the other, hand needs the internet to make those HTTP packages to get previously installed packages which many people may like because it doesn’t populate their local disk with packages they may only use one-time.

Parallel Installation Parallel installation is another cool feature exhibited by yarn out of the box. Yarn installs packages in a parallel manner. That is if I have to install five packages and package 2 is taking forever to install, Yarn goes over to package 3 or 4 or 5 it basically installs the packages side by side, unlike the serial manner which NPM uses. Parallel installation is one of the reasons why Yarn triumphs in speed battle with NPM.

Security

Yarn uses a checksum to verify the integrity of packages installed before any code is executed. What is a checksum? A checksum basically is a string of characters created by applying a mathematical algorithm to the contents of a file. It is used to check whether or not two files are the same. How does it work? Anytime a package is installed and is about to be executed, an integrity check is done by using the package’s checksum. NPM, on the other hand, performs integrity checks via SHA-1 (Secure Hash Algorithm) specified in the package-lock.json file. An SHA-1 string is appended on each package block in the package-lock.json and integrity check is performed using the integrity key, which looks like:

...

"wordwrap": {
    "version": "0.0.3",
    "resolved": "https://registry.npmjs.org/wordwrap/-/wordwrap-0.0.3.tgz",
    "integrity": "sha1-o9XabNXAvAAI03I0u68b7WMFkQc="
}

...

License checks
Yarn comes with a handy license checker right out of the box, just in case you’ll want to view licenses for your installed packages. The command yarn licenses list will in alphabetical order list all of the packages which were installed by the yarn or yarn install command and also give you the license (as well as URL to the source code) associated with each package. NPM, on the other hand, doesn’t have a handy license checker out of the box. There are a few open source packages which perform this function, one of which is a license-checker by davglass. Let’s examine both commands:

yarn licenses list

yarn licenses v0.14.0
├─ abab@1.0.3
│  ├─ License: ISC
│  └─ URL: git+https://github.com/jsdom/abab.git
├─ abbrev@1.0.9
│  ├─ License: ISC
│  └─ URL: http://github.com/isaacs/abbrev-js
├─ acorn-globals@1.0.9
│  ├─ License: MIT
│  └─ URL: https://github.com/ForbesLindesay/acorn-globals.git
├─ acorn@2.7.0
│  ├─ License: MIT
│  └─ URL: https://github.com/ternjs/acorn.git
├─ align-text@0.1.4
│  ├─ License: MIT
│  └─ URL: git://github.com/jonschlinkert/align-text.git
├─ amdefine@1.0.0
│  ├─ License: BSD-3-Clause AND MIT
│  └─ URL: https://github.com/jrburke/amdefine.git
├─ ansi-escapes@1.4.0
│  ├─ License: MIT
│  └─ URL: https://github.com/sindresorhus/ansi-escapes.git
├─ ansi-regex@2.0.0
│  ├─ License: MIT
│  └─ URL: https://github.com/sindresorhus/ansi-regex.git
...

After installing the license-checker package from GitHub. Run license-checker. PS: Both commands should be run inside the root directory of your project. The output is like so:

├─ cli@0.4.3
│  ├─ repository: http://github.com/chriso/cli
│  └─ licenses: MIT
├─ glob@3.1.14
│  ├─ repository: https://github.com/isaacs/node-glob
│  └─ licenses: UNKNOWN
├─ graceful-fs@1.1.14
│  ├─ repository: https://github.com/isaacs/node-graceful-fs
│  └─ licenses: UNKNOWN
├─ inherits@1.0.0
│  ├─ repository: https://github.com/isaacs/inherits
│  └─ licenses: UNKNOWN
├─ jshint@0.9.1
│  └─ licenses: MIT
├─ lru-cache@1.0.6
│  ├─ repository: https://github.com/isaacs/node-lru-cache
│  └─ licenses: MIT
├─ lru-cache@2.0.4
│  ├─ repository: https://github.com/isaacs/node-lru-cache
│  └─ licenses: MIT
├─ minimatch@0.0.5
│  ├─ repository: https://github.com/isaacs/minimatch
│  └─ licenses: MIT
├─ minimatch@0.2.9
│  ├─ repository: https://github.com/isaacs/minimatch
│  └─ licenses: MIT
├─ sigmund@1.0.0
│  ├─ repository: https://github.com/isaacs/sigmund
│  └─ licenses: UNKNOWN
└─ yui-lint@0.1.1
   ├─ licenses: BSD
      └─ repository: http://github.com/yui/yui-lint

Support

NPM is an open source dependency manager created by Isaac Z. Schlueter to meet up with the shortcomings of similar packages such as PEAR. Yarn on the order hand was developed by Facebook to meet up with the shortcomings of NPM. There’s a lot of developer traffic tending towards Yarn reasons being that Yarn is quite faster than NPM. Like shown above on this page, Yarn which is fairly young has more stars compared to NPM as at the time of this writing. These two packages are now well aware of themselves, with Yarn being able to be installed using NPM. Yarn, on the other hand, can install packages from the package-lock.json by using the [yarn import](https://yarnpkg.com/en/docs/cli/import) command. Which will help migrate projects relying on package-lock.json to Yarn. To know more, you can visit the [yarn-import](https://yarnpkg.com/en/docs/cli/import#toc-motivation) documentation.

From Yarn’s blog:

This feature is one of the first fruits of a continuing collaboration between the maintainers of the two package managers. We feel strongly about the two tools being aware of each other and providing an easy transition path between them…

NPM installs all and every package from npmjs.com which hinders accessibility in the event that one goes down, Yarn, on the other hand, installs from multiple repositories npmjs.com as well as Bower. While this doesn’t guarantee everyday availability but it reduces the probability of unavailability to the barest minimum. In the spirit of open sourcing, Listed below are links to their individual repositories, PRs would be welcomed in any of the repositories.

• https://github.com/npm/cli
• https://github.com/yarnpkg/yarn

Ease of use

Ease of use or user-friendliness is the last feature we’ll be looking at in this article. In this section, we’ll be looking at two criteria (CLI and user experience), which we’ll use to examine the user-friendliness of these package managers.

CLI (Command Line Interface) Yes! you read that right. I mean, it’s CLI why would UI be a criterion. Let’s take a look at how the terminal looks like when we’re running a simple npm install **** or yarn command.

npm install

yarn

Both installations were done with the same package.json file. We can see that NPM and Yarn have different CLIs. NPM generates noise during installation which can be silenced by using the -s flag to run it in silent mode.

User experience Both package managers have good user experience, like in the case of initializing a new project directory using yarn init or npm init. Where they both provide an interactive mode helping the user set up a new project. Yarn comes out of the box like stated above in performance section with an upgrade command yarn upgrade which helps to update all the dependencies in the project. This command also has an interactive feature which can be used by running yarn upgrade-interactive [--latest] which outputs like so:

[1/? Choose which packages to update. (Press <space> to select, <a> to toggle all, <i> to inverse selection) devDependencies
❯◯ autoprefixer      6.7.7  ❯  7.0.0          https://github.com/postcss/autoprefixer#readme
 ◯ webpack           2.4.1  ❯  2.5.1          https://github.com/webpack/webpack

 dependencies
 ◯ bull              2.2.6  ❯  3.0.0-alpha.3  https://github.com/OptimalBits/bull#readme
 ◯ fs-extra          3.0.0  ❯  3.0.1          https://github.com/jprichardson/node-fs-extra
 ◯ socket.io         1.7.3  ❯  1.7.4          https://github.com/socketio/socket.io#readme
 ◯ socket.io-client  1.7.3  ❯  1.7.4          https://github.com/Automattic/socket.io-client#readme

NPM, on the other hand, exhibits this same level of user experience just that this feature doesn’t come out of the box but with a package called npm-upgrade. This package can be installed by running this command npm i -g upgrade. After installing, typing npm-upgrade in your project directory and hitting the Enter key will yield the following output:

Yarn vs npm: What are the differences?

Introduction

Yarn and npm are both package managers widely used in the JavaScript ecosystem. While they serve the same purpose of managing dependencies, there are some key differences between the two. This Markdown code provides a concise comparison of Yarn and npm.

1. Installation speed: Yarn generally installs packages faster than npm due to its parallel downloading feature. When a package has multiple dependencies, Yarn can download them simultaneously, while npm downloads them sequentially. This parallel downloading capability significantly reduces installation times.

2. Security: Yarn has a stricter security model compared to npm. Yarn uses checksums to validate every package that is installed, ensuring that the packages have not been tampered with or compromised. On the other hand, npm relies on HTTPS connections to download packages but does not perform the same level of validation as Yarn. This makes Yarn a more secure option for package installation.

3. Dependency resolution: Yarn and npm use different algorithms for resolving dependencies. Yarn uses a lockfile (yarn.lock) that guarantees reproducible builds by locking the exact versions of dependencies. npm, on the other hand, uses a package-lock.json file. While both achieve similar outcomes, Yarn's lockfile is generally considered more reliable and consistent.

4. Compatibility with multiple registries: Yarn is capable of seamlessly connecting to multiple registries simultaneously, making it easy to work with both the npm registry and private registries. This flexibility allows for more efficient management of dependencies across different registries. npm can also work with multiple registries, but it requires additional configuration steps to switch between them.

5. Execution speed: Yarn performs operations such as package installation and dependency resolution faster than npm. Yarn accomplishes this by using a parallel processing approach, which can significantly improve the speed of various commands in comparison to npm.

6. Offline Mode: Yarn provides an offline mode that allows developers to install packages and work on projects without requiring an internet connection. This is particularly useful in situations where developers need to work in environments with limited or no internet access. npm does not have a built-in offline mode, making it dependent on an internet connection for most operations.

In summary, Yarn offers faster installation speed, enhanced security features, a more reliable lockfile for dependency resolution, compatibility with multiple registries, superior execution speed, and an offline mode compared to npm. These differences make Yarn a preferred choice for many JavaScript developers.