DEV Community

Cover image for npm v/s yarn v/s pnpm
Ashutosh Kumar
Ashutosh Kumar

Posted on • Edited on

npm v/s yarn v/s pnpm

Ready to talk package managers? You know, those tools that make your life as a developer so much easier (or sometimes, more frustrating)? Well, we're here to compare the three big players: npm, Yarn, and pnpm.

It's kind of like choosing your favourite type of pizza - they're all great in their own way, but which one is the best?
Well that's exactly what we're going to do in this blog. Buckle up and grab your favourite snack (pizza or nachos, anyone?) because we're about to dive into the details of each one. Get ready for some fun and maybe even a few surprises along the way!

1. Speed

I decided to put the installation speed of npm, Yarn, and pnpm to the test. I installed Express, Passport, and dotenv using each package manager and waited impatiently for the installations to finish. I was so impressed by how fast they were that I started to suspect they might have secretly installed themselves while I wasn't looking! But in all seriousness, the results were quite interesting. Keep reading to find out which package manager reigns supreme when it comes to installation speed.

  • Npm
    npm install in a folder with package.lock

  • Yarn
    yarn install in a folder with yarn.lock

  • Pnpm
    pnpm install in a folder with pnpm-lock.yaml With its handy lockfile feature, Yarn speeds up installation time significantly. Sure, npm has been making improvements to its installation speed lately, but it still can't keep up with the lightning-fast Yarn. And while pnpm is also faster than npm, it's not quite as speedy as Yarn. Now, I know what you're thinking - it's just a small difference in speed, right? But trust me, when you're dealing with a massive number of dependencies, Yarn's speed will blow your mind!

2. Dependency Resolution

Alright, time for a quick lesson in dependency resolution. Yarn, our speedy friend from before, uses a deterministic algorithm that ensures the same set of dependencies are installed on all machines. It's like a reliable GPS that never leads you astray. On the other hand, npm's flat dependency structure can sometimes lead to conflicts. It's like a bad GPS that takes you through the wrong route and leaves you stranded. And then there's pnpm, our adventurous buddy that likes to live life on the edge. It installs dependencies by sharing packages between projects, which can be faster, but can also cause conflicts. It's like a GPS that takes you on a scenic route, but occasionally leaves you lost in the wilderness. I would want to give you a good-old-long example here, but then that will make this blog lengthy && boring.

But Hey, I have a much simpler explanation. Let's take an example package, "PackageX" (let's call it the POWER PUFF PACKAGE). If you have version 3.0.1 of this package installed and your package.json file specifies a range of 3.x.x, then if you reinstall it using npm, it will keep the same version (no upgrade to 3.4.0, which is the latest version). However, if you use Yarn, it will always install the latest matching version, even if you delete the lockfile. This makes Yarn more consistent in its behaviour, ensuring that you get the latest version of the package every time.

3. Offline Mod (OG)

Yarn and pnpm are two package managers that come with a feature that many developers find handy: offline mode. With Yarn or pnpm, you can install packages even if you don't have an internet connection, as long as you have already downloaded the necessary files. This feature can be especially useful if you are working on a project while traveling or in an area with spotty internet connection. However, if you are using npm, you won't have the luxury of an offline mode. That means you'll need a stable internet connection in order to install packages, which can be a bit of a bummer for those who are often on the go.

4. Security

Yarn's security features are nothing to be knitted about! With its use of checksums to ensure package integrity and a built-in command to audit packages for vulnerabilities, Yarn is a real yarn-spinner when it comes to security. Meanwhile, npm and pnpm's security features are similar but not as tightly knit as Yarn's.

Yarn's checksum feature ensures that the installed package matches the package distributed on the registry. This prevents malicious actors from tampering with the package during transit. To verify a package's checksum, you can run the following command in Yarn:

yarn check --integrity
Enter fullscreen mode Exit fullscreen mode

In addition to checksums, Yarn also has a command for auditing packages for security vulnerabilities. This command checks for known security vulnerabilities in all installed packages and their dependencies. It also suggests steps for resolving any vulnerabilities found.

npm also has a similar npm audit command, but it's not as advanced as Yarn's audit feature. pnpm, on the other hand, relies on npm's security features and doesn't have any additional security measures like checksums.

5. Custom Registries

Listen, if you're anything like me, you don't want to be stuck with just the default registries. Thankfully, all three package managers offer some level of support for custom registries. But let's be real: Yarn has the VIP treatment when it comes to private registries. And with its selective version resolution feature, you can cherry-pick the best dependencies from your favorite registry while still keeping things cozy with the default one. Sorry npm and pnpm, but Yarn's got the hookup.

Conclusion

Check out the Why upgrade to Yarn Berry?

Ranking Yarn tops, pnpm follows, npm lagsNow, I know what you're thinking. 'Oh great, here comes the biased opinion.' But hey, it is what it is. After analyzing all the features and functionality of Yarn, npm, and pnpm, I gotta say, Yarn takes the cake, baby! It's faster than a cheetah on caffeine, has security features that could make a CIA agent jealous, and can handle custom registries like a boss. Don't get me wrong, npm and pnpm are cool and all, but they're just not on the same level as Yarn. So, if you want to be the coolest kid on the block (or in the dev world), use Yarn for all your JavaScript projects. Trust me, your code will thank you.

Top comments (31)

Collapse
 
zirkelc profile image
Chris Cook

All three packager manager support lockfiles (package-lock.json, yarn.lock, pnpm-lock.yaml) and install dependencies according to that. I cannot see any reason to favor Yarn over the others?

Collapse
 
renzhamin profile image
renzhamin

npm's dependency resolution is inferior compared to yarn. I was working in a react project, after installing some packages, it suddenly became irreproducible on other devices, npm install or npm clean-install just wouldn't work. Tried out yarn and it worked out just fine

Collapse
 
raxraj profile image
Ashutosh Kumar

@renzhamin This happened multiple times with me as well. when it comes to using private GitHub Repo based packages. It's resolution is too slow and often fails on different platforms.

Collapse
 
tnolte profile image
Tim Nolte

It's probably because you were using npm wrong. If you want consistency in the versions installed you need to use npm ci and not npm install.

Collapse
 
raxraj profile image
Ashutosh Kumar

I do wanna agree, choosing a package manager won't make much of a great difference but I prefer yarn. Also beleive me when I say, I didn't mean Yarn is the only package manager which supports lockfiles. I meant it's package resolution through the lockfile is much faster.

Thanks for making it clear though.

Collapse
 
gutem profile image
Gutem

You CLEARLY don't know what you're talking about.

1 - it's VERY tendentious to promote YARN.

2 - you should always use a lockfile to handle dependencies to keep EXACTLY the same package versions (have you ever heard about The 12 Factor App?!?).

3 - yarn check is deprecated since Fev/2019 (github.com/yarnpkg/rfcs/pull/106). Actually, you shouldn't be using yarn v1 anymore.

4 - yarn check never was implemented to be a security feature. It's a feature to verify if the installation was done successfully (github.com/yarnpkg/rfcs/pull/106#p...). This is how would it be in a secure way: docs.npmjs.com/about-registry-sign...

5 - Yarn audit USES the npm's audit database (github.com/yarnpkg/yarn/blob/158d9...). yarn does this in a very ineffective way, by the way, if compared with npm way, cause the uses only the database and npm really checks for version, integrity and signing.

npm ALWAYS checks for integrity when installing packages. Ask apologies to your readers, update the post summing up the yarn install + yarn check --integrity times to have a more real case approach.

And, please, RTFM before shitpostting.

Collapse
 
raxraj profile image
Ashutosh Kumar

Really Sorry My man, Just trying to do better.

Collapse
 
equiman profile image
Camilo Martinez • Edited

If some of you need to use different package managers, I recommend looking at the swpm Switch Package Manager project.

You always write the same command no matter the Package Manager and it will translate the command according to the Package Manager used on the project.

Supports: npm, yarn, pnpm and bun

Collapse
 
raxraj profile image
Ashutosh Kumar

Goddamn I was waiting for your comment. Wherever there is a conversation about package manager I see this. Guys this swpm can be really helpful. :)

Collapse
 
uzitech profile image
Tony Brix

I created nstl a while ago that is similar to swpm.

Collapse
 
equiman profile image
Camilo Martinez

This comic speak with the wise of the universe. 😅

Image description

Collapse
 
cule219 profile image
Stefan

However, if you use Yarn, it will always install the latest matching version, even if you delete the lockfile

This should be the case with NPM too, if you delete the lockfile it should install the latest version.
On the other hand, if you want consistency, having a 3.0.1 version(fe) installed locally and then CI installs 3.1.1 even though lockfile specifies 3.0.1 is def inconsistent.

Collapse
 
holiq profile image
Holiq Ibrahim

is the yarn described v1 or v3/berry?

Collapse
 
raxraj profile image
Ashutosh Kumar • Edited

dev.to/raxraj/why-upgrade-to-yarn-...

@holiq I just published this one. I'll be glad if you take a look on that.

Collapse
 
holiq profile image
Holiq Ibrahim

Thanks mate!

Collapse
 
raxraj profile image
Ashutosh Kumar

I was taking about yarn v1

Collapse
 
holiq profile image
Holiq Ibrahim

Can you compare it with yarn v3/berry too?

Thread Thread
 
raxraj profile image
Ashutosh Kumar

Sure Can do!.. I will get on it today.

Collapse
 
dannystyleart profile image
Dániel Sebestyén

I have to admit Yarn has good features.

Regarding lockfiles, all 3 supports the feature.
It is often overlooked like your example of the 'no more reproducible state of installation', npm can install the same state using the ci command, and pnpm by providing the --frozen-lockfile option to install command.

It's an other discussion that Yarn behaves like this by default.

Also regarding the offline mode, each can cache the downloaded packages, tough sure they handle them with different approach.

One key differentiator that I'm missing here tough is the workspaces feature. For that I'm sure Yarn has a solid lead and in fact most of the points the author made here are serving this feature.

Collapse
 
raxraj profile image
Ashutosh Kumar

@dannystyleart Great points!!

Collapse
 
ramim profile image
Rami Mustaklem • Edited

Apparently you haven't used PNPM, and missed a few cons for yarn. Here is my take on why I use pnpm over yarn and npm.

Collapse
 
raxraj profile image
Ashutosh Kumar

Awesome article, I guess I need give pnpm a serious try.

Collapse
 
fruntend profile image
fruntend

Сongratulations 🥳! Your article hit the top posts for the week - dev.to/fruntend/top-10-posts-for-f...
Keep it up 👍

Collapse
 
raxraj profile image
Ashutosh Kumar

Awesome. Thanks for writing about this

Collapse
 
agiksetiawan profile image
Agik Setiawan

Love to yarn

Collapse
 
raxraj profile image
Ashutosh Kumar

Yarn and knit! lol

Collapse
 
sentientmachin3 profile image
Davide Bianchi

Your analysis is nice, however I think some points are missing:

  • caching
  • storage consumption
  • monorepos support
Collapse
 
raxraj profile image
Ashutosh Kumar

I agree! Thanks. I would love to be more comprehensive next time.