All you need to know about Yarn and NPM

Yarn VS NPM: Everything You Need to Know

By Tim Severien

The Nuggets translation Project

Permanent link to this article: github.com/xitu/gold-m…

Translator: EmilyQiRabbit

Proofreader: jerryOnlyZRJ, TUARAN

Yarn is a new JavaScript package manager built by Facebook, Google, Exponent and Tilde. As stated in the official announcement, its goal is to address several issues that these teams encounter when using NPM, namely:

The installation package is not fast or stable enough
There is a security risk because NPM allows packages to run code at install time

But don’t panic! It is not intended to replace NPM completely. Yarn is just a new CLI client that can obtain modules from the NPM repository.

Should everyone now hop on the Yarn express? You may never have encountered these problems when using NPM. In this article, we will compare NPM with Yarn, so you can decide which is best for you.

Yarn and NPM: different functions

At first glance, Yarn and NPM are very similar. But as we know in depth, THERE is a difference between Yarn and NPM.

Yarn. The lock file

The package.json file contains information about NPM and Yarn trace project dependencies, and the version numbers are not always exact. However, you can define the scope of the version. This allows you to select the highest and lowest version of the package, but allows NPM to install the latest patches to fix some bugs.

In an ideal world of semantic versioning, released patches should not include any substantive changes. Unfortunately, this is not always the case. NPM’s policy can result in two devices using the same package.json file but with different versions of packages installed, which can lead to failure.

To avoid mismatches of package versions, the exact version of the installation needs to be fixed in the lock file. Each time a module is added, Yarn creates (or updates) a yarn.lock file. This way you can ensure that an optional version range is defined in the package.json file while the same package is installed on all other devices.

NPM shrinkwrap can also generate a lock file in the NPM command, and NPM install will read the lock file before reading package.json, in the same way that Yarn reads yarn.lock first. The key difference is that Yarn must create and update yarn.lock, whereas NPM does not create by default and only updates the file npm-shrinkwrap. Json when it exists.

Yarn. Lock the document
NPM shrinkwrap document

The parallel installation

Whenever NPM or Yarn needs to install a package, a series of tasks are produced. With NPM, these tasks are performed in package order, meaning that the next package is installed only after one package is fully installed. Yarn executes tasks in parallel, improving performance.

In contrast, I installed express using both NPM and Yarn without shrinkwrap or lock files or caching. This installation includes a total of 42 packages.

propertag.cmd.push(function() { proper_display(‘sitepoint_content_1’); });

NPM: 9 seconds
Yarn: 1.37 seconds

I couldn’t believe my eyes. The result of repeating this step is similar. I then installed gulp and downloaded 195 dependencies.

NPM: 11 seconds
Yarn: 7.81 seconds

It seems that download times vary greatly depending on the number of packages installed. But either way, Yarn is faster.

Clearer output

NPM output is verbose by default. For example, when NPM install is run, it will recursively list all installed packages. Yarn, on the other hand, is very simple. It lists very little important information with appropriate emojis (unless you are running Windows), and details can be obtained from other commands.

Yarn and NPM: difference between CLI

In addition to the functional differences, Yarn has several different commands. Some NPM commands have been removed, others have been modified, and some interesting commands have been added.

Global yarn

Unlike the -g or –global flag used in the NPM global installation operation, the Yarn command uses global as the prefix. As with NPM, project-specific dependencies should not be installed globally.

The global prefix is applicable only to YARN add, YARN bin, YARN LS, and YARN Remove. Except for YARN add, these commands are the same as NPM commands.

Yarn global document

Yarn installation

The NPM install command will install dependencies from the package.json file and allow you to add new packages. Yarn install Download only the dependencies listed in yarn.lock. If this file is not available, download those listed in package.json.

Yarn install document
NPM install document

Yarn add [- dev]

Like NPM install , YARN Add allows you to add and install dependencies. As literal as the command name is, it adds dependencies and means that it automatically adds references to packages to package.json files, just as NPM’s –save flag does. Yarn’s –dev flag treats packages as development mode dependencies, just like NPM’s –save-dev flag.

Yarn add document
NPM install document

yarn licenses [ls|generate-disclaimer]

At the time of writing, there are some equivalent commands available on YARN that are not available on NPM. Yarn Licenses ls Lists the license agreements of all installation packages. Yarn licenses generate-disclaimer Can generate a disclaimer that includes all license agreements for all packages. Some license agreements state that you must include the project agreement in your project, so this can be a useful tool.

Yarn licenses documents

yarn why

This command analyzes the dependency graph and finds out why the specified package was installed in your project. Maybe you specifically installed it, or maybe it’s one of the dependencies of the package you installed. Yarn WHY will help you find out why.

Yarn according to the document

yarn upgrade [package]

This command will update the package to the latest version that conforms to the package.json setting rules and recreate the yarn.lock file. It is similar to NPM Update.

Interestingly, when a package is specified, it will update the package to the latest version and update the tags defined in package.json. This means that this command may update the package to a new major release.

Yarn upgrade document

yarn generate-lock-entry

The yarn generate-lock-entry command generates a yarn.lock file based on dependencies in package.json. This is similar to NPM Shrinkwrap. Use this command with caution as it will generate lock files and it will update automatically when you update dependencies through YARN Add and YARN upgrade.

Yarn generate – lock – entry documents
NPM shrinkwrap document

Stability and reliability

Could Yarn’s express be derailed? It did receive a lot of feedback on the first day of release, but it was also surprisingly efficient at solving problems. It all means that the community is trying to find and solve problems. Looking at the number and type of problems, we know that Yarn is more stable for most users, but may not be suitable for some edge cases.

Note that although package management may be important to your project, it is just a package manager. If something does go wrong, it’s not too hard to reload and cut back to NPM.

Looking to the future

You probably know the history of Node.js and io.js. In a nutshell, io.js is a fork of Node.js, created by some core contributors due to disagreements over the management of the Node.js project. However, io.js is open source. Within a year, the two teams had reached an agreement, so io.js was merged back into Node.js, and development of io.js was no longer ongoing. Whether this choice is right or wrong now, the upshot is that it introduces a lot of cool functionality to Node.js.

I now see a similar pattern on NPM and Yarn. Although Yarn is not a fork, it improves several NPM vulnerabilities. Wouldn’t it be great if NPM learned from this and asked Facebook, Google, and other Yarn contributors to help NPM optimize instead? It’s too early to say that, but I hope so.

Either way, Yarn’s future is bright. The new package manager has excited the community, and people are getting used to it. Unfortunately, it doesn’t have any planning instructions, so I don’t know what Yarn has in store for us.

conclusion

Yarn has a higher rating than NPM. Lock files are freely available, packages are installed surprisingly quickly, and they are automatically saved to package.json. There are also few disadvantages to installing and using Yarn. Try it out on a project to see if it works for you. In this way, Yarn becomes an alternative to NPM.

propertag.cmd.push(function() { proper_display(‘sitepoint_content_2’); });

I highly recommend that you try Yarn in a project. If you are cautious about installing and using new software, give it a few months. After all, NPM is battle-tested, which is definitely worth it in the world of software development.

If you happen to be waiting for the NPM installation package, you might want to read the migration to Yarn guide;)

How do you feel after reading the article? Are you already using Yarn? Would you like to try it? Or do you think it will just lead to further fragmentation of an already fragmented ecosystem? Leave your thoughts in the comments section.

If you find any mistakes in your translation or other areas that need to be improved, you are welcome to the Nuggets Translation Program to revise and PR your translation, and you can also get the corresponding reward points. The permanent link to this article at the beginning of this article is the MarkDown link to this article on GitHub.

The Nuggets Translation Project is a community that translates quality Internet technical articles from English sharing articles on nuggets. The content covers Android, iOS, front-end, back-end, blockchain, products, design, artificial intelligence and other fields. If you want to see more high-quality translation, please continue to pay attention to the Translation plan of Digging Gold, the official Weibo, Zhihu column.