NPM vs YARN
As a web developer, I have come across Yarn and NPM. Both are used to manage dependencies of your Node application. Many developers prefer NPM over Yarn and I have tried to find out what are the reasons behind that.
1.The speed:
One of the main differences between NPM and Yarn is how they handle the package installation process. Yarn installs packages in parallel. Yarn is optimized to fetch and install multiple packages simultaneously. If you are installing five packages, and two are taking a long time to install, Yarn will go over and install them concurrently.
On the other hand, NPM would install each package one at a time. It fetches every package independently. This means that if you install a list of five packages, NPM will perform a serial installation process. Parallel installation is one of the reasons why Yarn beats NPM in a speed race.
When you install a package, these two package managers save offline cache. You can then install a package you installed before from the memory cache even when you are offline.
Yarn has a well-managed offline cache. You install an offline package with Zero times, a concept called Zero installs.
Zero installs stores the cache in your project directory. When you push commands such as yarn install or yarn add , Yarn will create a .pnp.cjs file. This file consists of a dependency hierarchy used by Node.js to load your project packages. Thus, you can access them almost at zero time.
Note: Zero install Workflow is optional. You can still stick on global cache for your projects.
2.The lock file generation
A lock file is a list that contains all of the dependencies required for your project to function. This file “locks down” your dependency versions. That way whenever someone else runs yarn install or npm install, they’ll receive the exact dependencies versions listed out in the lock file. This ensures that your team has the identical package versions as you do. It also helps prevent bugs that can appear due to the introduction of updated, untested package versions.
Security
You download stuff from the NPM registry without necessarily knowing what you’re downloading. However, these package managers perform a security check on each install.
Yarn checks behind the scenes and make sure that you’re not downloading rogue scripts or stuff that can conflict with your project dependencies. Security is one of Yarn’s core features.
In the past, NPM was very fragile and didn’t provide a secure installation process. This allowed other packages to get included on the fly, resulting in possible security systems vulnerabilities. It has since then greatly improved on the security checks with its recent updates. Checksum vs Secure Hash Algorithm (SHA-512):
The checksum is a mathematical error detection algorithm. It is a block of data derived from the original data for error detection when transferring data from one computer to another. It checks any error that may have been introduced during the data transmission or storage. This helps ensure data integrity.
Before the data is transferred, the sender will create a message that calculates a checksum. This message (packet) will be attached to the original data.
The receiver will then calculate a different checksum to validate the data sent. If the two checksum values are equal, then no error is detected, and the data is accepted; otherwise, the data is rejected.
Yarn uses Checksum to ensure data integrity. When a package is being installed, and about to be executed, Yarn will perform a checksum integrity check to detect any malicious information being transferred to your computer.
NPM uses SHA-512 to check the integrity of the packages you install. NPM stores SHA-512 strings of every installed package in the package-lock.json file, as shown below.
"lodash": { "version": "4.17.21", "resolved": "registry.npmjs.org/lodash/-/lodash-4.17.21...", "integrity": "sha512-v2kDEe57lecTulaDIuNTPy3Ry4gLGJ6Z1O3vE1krgXZNrsQ+LFTGHVxVjcXPs17LhbZVGedAJv8XZ1tvj5FvSg==" }
NPM will use this integrity SHA-512 key to perform an integrity check in each package block in the lock file.
NPM also audits every package during installation and informs you of possible vulnerabilities. NPM Package Audit: You can again run npm audit to check your entire dependency trees. If any vulnerabilities are found, NPM will give you a security recommendation.
The package-lock.json:
The package-lock. It's actually here to solve a problem from the package.json we haven't talked about.
We saw earlier that when installing a new package, his version is set into the package.json. It uses the semver convention.
Basically, the first character before the actual version number will implies some slight changes whenever the npm install command is ran. If you omit a character, NPM will always use this exact version whatever happens.
If you always specify the exact version, the following problem I'll explain is already out of sight
Now let's say you have been working for a couple years on a project, and a new contributor clones and installs it.
Since a lot of time passed, some of our dependencies must have received some new releases. As we explained earlier, depending on your semver convention, NPM will look for potential newer versions...
Package-lock to the rescue. As his name implied, it'll lock the version number in stone and will guarantee that the same package version is installed on every subsequent installation. Ease of use: One thing to consider before choosing a package manager would be the to see which interface is user-friendly. This includes how the command line terminal looks after running commands such as npm install or yarn add.
NPM and Yarn have different command-line interfaces. They are both user-friendly and have a good user experience. This is evident when using a command such as npm init and yarn init. They both have an interactive guide that helps users to initialize a Node.js project.
NPM vs Yarn updates:
Yarn and NPM are continually updating to improve on their current features, as well as adding new features such as NPX and PnP.
NPX: NPX stands for Node Package Executor. It is a new addition to NPM version 5.2.0 or higher. NPX helps you to execute one-off commands. With NPX, you can execute packages from the NPM registry without installing them to your project dependencies.
Yarn introduced Yarn2, nicknamed Berry. This new Yarn version has exciting features such as Plug’n’Play, Constraints, Offline installation, Zero install, Workspaces, and Yarn Dlx (the new Yarn NPX).
The most significant additions here are:
Plug’n’Play - This is an alternative installation strategy. Instead of generating a node_modules directory and leaving the resolution to Node.js, Plug’n’Play generates a single pnp.js file and lets Yarn tell us where to find our packages. This means
No more node_modules. Reduced package installation time up to 70%. Plug’n’Play will warn you when you forget to list your dependency. Faster project booting time.
Conclusion These two package managers are great at managing and maintaining your project dependencies tree. They are reliable, and they have a great and supportive JavaScript community. With the added features, NPM is almost identical to Yarn. The choice between the two may depend on personal preference, performance, community support, or ease of use.