NPM vs Yarn

Photo by the author

In this article, we will compare and explore the differences between npm vs Yarn — the two most well-known Node-js package managers.

We will compare the Yarn and NPM in terms of their speed and performance, installation methods, ease of use, security, advantages, and disadvantages.

Before we get into the details of the comparison, let’s take a look at the definitions and general info regarding these two package managers themselves.

it is a tool that automatically manages a project’s dependencies in a variety of ways. For instance, we can install, update, upgrade packages, run scripts, configure project settings, uninstall, and so on. Even a simple project can have hundreds or thousands of scripts with complex nested dependencies that are impossible to manage without the use of an automated tool. And it is here that the package managers come into play.

NPM stands for (Node Package Manager), it is the default package manager for Node.js with a CLI (command-line interface) tool that helps install, manage, and remove Node.js packages. Besides, it was released back in 2010, beginning a new era in web development.

Yarn is known as (Yet Another resource negotiator). The yarn was released by Facebook in 2016, it is a replacement that has been invented for NPM. The intention behind developing yarn was to deal with NPM drawbacks in terms of performance and security concerns. To be simple, it creates a more secure, stable, and efficient product.)

  • NPM is installed with node automatically which is mentioned above.
npm -v
  • In contrast, Yarn needs to be installed explicitly.
npm install yarn -g

npm installs dependency packages sequentially, one after another, it installs by using the npm installcommand.

Yarn uses the yarn command to install dependencies. It installs dependencies in parallel, allowing you to add multiple files at the same time which is one of the reasons it’s quicker than npm.

As we mentioned above, tasks in npm are executed per package and sequentially while yarn executes these tasks in parallel, performing faster than NPM when installing larger files.

Speaking of speed, the yarn has a Zero install feature that takes the dependency map from the .pnp.cjs file and uses it to perform an offline dependency install with virtually zero delays while it caches every package and saves it on the disk without having an internet connection due to the package is installed offline from the disk.

Photo by the author

As you can see above, the speed of reinstallation was pretty fast when using Yarn. We will discover more about Yarn’s features later on, let’s take a look into the security of both package managers and what’s the method they use to enhance their security respectively.

Security is one of the biggest controversies for users in choosing between these two package managers. But still, Yarn was initially regarded to be more secure even though the NPM team bridges the security gap with comparable improvements on their new version of NPM.

NPM has built-in security as it will issue a warning automatically when if you try installing code with a known security vulnerability. We are able to check manually by running npm audit against the installed packages in the new version of NPM while we can run npm audit fix in order to fix package vulnerabilities

Besides, yarn provides checksum verification which is a proven method of quickly determining if two files are identical without going into the details of the specific files. (Checksum: a string of letters and numbers used to check data for errors that may happen during transfer or storage.)

Both Yarn and NPM use cryptographic hash algorithms to ensure the integrity of the packages.

In Yarn, dependencies will be installed automatically by creating a lock file called yarn.lock that saves the exact list of dependencies used for the project. Whereas NPM creates a version of the lock file named package-lock.json However, this lock file also allows users to migrate version data from NPM to Yarn because package-lock.json also supported by Yarn.

  • Both NPM and Yarn allow running scripts remotely
Photo by author

NPM and Yarn support workspaces, allowing to use of a single repository to manage dependencies for multiple projects. For example, mono-repo.

  • As we mentioned in the speed and performance paragraph, zero-installs using the .pnp.cjs file to map packages stored in the offline cache which allows us to access and install packages with almost no delay, and it ties with Plug’nPlay to implement.
  • yarn generates a single .pnp.cjsfile that maps packages to their location on the disk and to their list of dependencies without generating the node_modules folder.
  • Yarn has its own built-in license checker when downloading and installing packages.
  • More secure
  • Supports features like Zero installs, parallel installation, Plug’nPlay
  • Large active user community
  • Doesn’t work with older versions of Node.js (lower than version 5)
  • problems with installing native modules

NPM

  • Easy to use, especially for old-version users.
  • No need to install additional tools
  • optimized local package installation to save a lot of disk space.
  • Requires network access to install packages from the online registry as the online NPM registry becomes unreliable in case of performance issues.
  • Although some improvements have been made across different versions of NPM, security vulnerabilities still exist.

From this article, we’ve seen the important package managers and the features that are provided respectively. They are very useful tools for ensuring our project’s dependencies are under control. However, presently, these two package managers are closer together in terms of functionalities.

Lastly, your choice between NPM or Yarn will depend on your tastes, preferences, and your requirements.

Want to Connect?

This article is written by Han Sheng, Technical Lead in Arkmind, Malaysia. He has a passion for Software Design/Architecture related stuff, Computer Vision and also Edge Devices. He made several AI-based Web/Mobile Applications to help clients solving real-world problems. Feel free to read about him via his Github profile.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Draden Liang Han Sheng

Full Stack AI Application Development | Computer Vision | Deep Learning | Edge Devices