npm vs yarn
Before going to NPM or YARN, it's important to understand Node.js
Node.js is a platform for interpreting JavaScript code and running applications. In the beginning, JavaScript was considered a client-side scripting language but now we can do server-side programming such as C#, Java, Phyton, etc.
This platform was built with Google Chrome's JavaScript engine, it's able to support JavaScript as a server-side language and perform some server tasks like handling incoming application data or database communications. I'll write a complete post about Node.js to explain this platform in deep.
npm (node package manager)
It's a set of libraries of code that others have written to add specific features to your node application, you can install a package to your application with the following command:
> npm install <package>With the command above you had installed a package, so you can start using it in your node application. Before using a package you should read the package documentation to start using it in your application.
Besides installing packages, npm is responsible for managing the project's dependencies. The packages.json file is responsible for maintaining all the necessary dependencies for your project. See the following example:
"dependencies": {
"@types/node": "^20.10.4",
"@types/react": "^18.2.42",
"@types/react-dom": "^18.2.17",
"contentlayer": "^0.3.2",
"date-fns": "^2.30.0",
"next": "^14.0.3",
"next-contentlayer": "^0.3.4",
"next-themes": "^0.2.1",
"react": "18.2.0",
"react-dom": "18.2.0",
"rehype-pretty-code": "^0.12.0",
"rehype-slug": "^6.0.0",
"remark-gfm": "^3.0.1",
"typescript": "^5.3.3"
},Every time you install a package a new entry will be added to the dependencies section in the packages.json file. That means, you must add that file to the source control system, then a new developer can get your solution from a repository and execute the command "npm install" to get all project's dependencies and start working in the application.
yarn
Similar to npm, yarn is a package manager used to manage dependencies (installing, updating, configuring, and removing packages dependencies) so far those tools perform almost the same tasks.
> yarn add <package>npm vs yarn
One of the most important differences is the one related to the performance, with yarn we can install packages in parallel. However, npm only supports sequential installation.
As we can see in the following metrics yarn performs better than npm in different scenarios:
Full Cold:
When cloning a project on a new machine:
Cache only:
When your cache is at least partly populated but you don't have a lockfile
Cache and lockfile:
When doing a new clone or new install of a project
Recurrent calls:
Very small operations like when running add, remove, updating the workspace layout (common case scenario)
The previous screenshots were taken from the following website: https://p.datadoghq.eu/sb/d2wdprp9uki7gfks-c562c42f4dfd0ade4885690fa719c818?refresh_mode=sliding&tpl_var_npm%5B0%5D=%2A&tpl_var_pnpm%5B0%5D=no&tpl_var_yarn-classic%5B0%5D=%2A&tpl_var_yarn-modern%5B0%5D=%2A&tpl_var_yarn-nm%5B0%5D=no&tpl_var_yarn-pnpm%5B0%5D=no&from_ts=1703183543174&to_ts=1705775543174&live=true
Security
Yarn is pretty good at scanning the dependency tree for all packages avoiding attackers to exploit vulnerabilities in of the many packages. However, npm is having issues tackling the previous security issues in older npm versions.
Lock File Generation
yarn and npm offer lock file generation.
- yarn produces a yarn.lock file
- npm produces package-lock.json Both lock files help to define the versions of all the dependencies required as part of the project .
Conclusion
Both package managers are good but will depend on the project requirements to choose one of them. As we can see in the previous screenshots yarn offers better performance and it's focused on security features. On the other hand, npm offers better compatibility with old projects and it's continuing evolving to bring better performance and security.