Ready to talk package managers? You know, those tools that make your life as a developer so much easier (or sometimes, more frustrating)? Well, we're here to compare the three big players: npm
, Yarn
, and pnpm
.
It's kind of like choosing your favourite type of pizza - they're all great in their own way, but which one is the best?
Well that's exactly what we're going to do in this blog. Buckle up and grab your favourite snack (pizza or nachos, anyone?) because we're about to dive into the details of each one. Get ready for some fun and maybe even a few surprises along the way!
1. Speed
I decided to put the installation speed of npm, Yarn, and pnpm to the test. I installed Express, Passport, and dotenv using each package manager and waited impatiently for the installations to finish. I was so impressed by how fast they were that I started to suspect they might have secretly installed themselves while I wasn't looking! But in all seriousness, the results were quite interesting. Keep reading to find out which package manager reigns supreme when it comes to installation speed.
Pnpm
With its handy lockfile feature, Yarn speeds up installation time significantly. Sure, npm has been making improvements to its installation speed lately, but it still can't keep up with the lightning-fast Yarn. And while pnpm is also faster than npm, it's not quite as speedy as Yarn. Now, I know what you're thinking - it's just a small difference in speed, right? But trust me, when you're dealing with a massive number of dependencies, Yarn's speed will blow your mind!
2. Dependency Resolution
Alright, time for a quick lesson in dependency resolution. Yarn, our speedy friend from before, uses a deterministic algorithm that ensures the same set of dependencies are installed on all machines. It's like a reliable GPS that never leads you astray. On the other hand, npm's flat dependency structure can sometimes lead to conflicts. It's like a bad GPS that takes you through the wrong route and leaves you stranded. And then there's pnpm, our adventurous buddy that likes to live life on the edge. It installs dependencies by sharing packages between projects, which can be faster, but can also cause conflicts. It's like a GPS that takes you on a scenic route, but occasionally leaves you lost in the wilderness. I would want to give you a good-old-long example here, but then that will make this blog lengthy && boring
.
But Hey, I have a much simpler explanation. Let's take an example package, "PackageX" (let's call it the POWER PUFF PACKAGE). If you have version 3.0.1 of this package installed and your package.json file specifies a range of 3.x.x, then if you reinstall it using npm, it will keep the same version (no upgrade to 3.4.0, which is the latest version). However, if you use Yarn, it will always install the latest matching version, even if you delete the lockfile. This makes Yarn more consistent in its behaviour, ensuring that you get the latest version of the package every time.
3. Offline Mod (OG)
Yarn and pnpm are two package managers that come with a feature that many developers find handy: offline mode. With Yarn or pnpm, you can install packages even if you don't have an internet connection, as long as you have already downloaded the necessary files. This feature can be especially useful if you are working on a project while traveling or in an area with spotty internet connection. However, if you are using npm, you won't have the luxury of an offline mode. That means you'll need a stable internet connection in order to install packages, which can be a bit of a bummer for those who are often on the go.
4. Security
Yarn's security features are nothing to be knitted about! With its use of checksums to ensure package integrity and a built-in command to audit packages for vulnerabilities, Yarn is a real yarn-spinner when it comes to security. Meanwhile, npm and pnpm's security features are similar but not as tightly knit as Yarn's.
Yarn's checksum feature ensures that the installed package matches the package distributed on the registry. This prevents malicious actors from tampering with the package during transit. To verify a package's checksum, you can run the following command in Yarn:
yarn check --integrity
In addition to checksums, Yarn also has a command for auditing packages for security vulnerabilities. This command checks for known security vulnerabilities in all installed packages and their dependencies. It also suggests steps for resolving any vulnerabilities found.
npm also has a similar npm audit command, but it's not as advanced as Yarn's audit feature. pnpm, on the other hand, relies on npm's security features and doesn't have any additional security measures like checksums.
5. Custom Registries
Listen, if you're anything like me, you don't want to be stuck with just the default registries. Thankfully, all three package managers offer some level of support for custom registries. But let's be real: Yarn has the VIP treatment when it comes to private registries. And with its selective version resolution feature, you can cherry-pick the best dependencies from your favorite registry while still keeping things cozy with the default one. Sorry npm and pnpm, but Yarn's got the hookup.
Conclusion
Check out the Why upgrade to Yarn Berry?
Now, I know what you're thinking. 'Oh great, here comes the biased opinion.' But hey, it is what it is. After analyzing all the features and functionality of Yarn, npm, and pnpm, I gotta say, Yarn takes the cake, baby! It's faster than a cheetah on caffeine, has security features that could make a CIA agent jealous, and can handle custom registries like a boss. Don't get me wrong, npm and pnpm are cool and all, but they're just not on the same level as Yarn. So, if you want to be the coolest kid on the block (or in the dev world), use Yarn for all your JavaScript projects. Trust me, your code will thank you.
Top comments (31)
All three packager manager support lockfiles (package-lock.json, yarn.lock, pnpm-lock.yaml) and install dependencies according to that. I cannot see any reason to favor Yarn over the others?
npm's dependency resolution is inferior compared to yarn. I was working in a react project, after installing some packages, it suddenly became irreproducible on other devices, npm install or npm clean-install just wouldn't work. Tried out yarn and it worked out just fine
@renzhamin This happened multiple times with me as well. when it comes to using private GitHub Repo based packages. It's resolution is too slow and often fails on different platforms.
It's probably because you were using npm wrong. If you want consistency in the versions installed you need to use
npm ci
and notnpm install
.I do wanna agree, choosing a package manager won't make much of a great difference but I prefer yarn. Also beleive me when I say, I didn't mean Yarn is the only package manager which supports
lockfiles
. I meant it's package resolution through the lockfile is much faster.Thanks for making it clear though.
You CLEARLY don't know what you're talking about.
1 - it's VERY tendentious to promote YARN.
2 - you should always use a lockfile to handle dependencies to keep EXACTLY the same package versions (have you ever heard about The 12 Factor App?!?).
3 -
yarn check
is deprecated since Fev/2019 (github.com/yarnpkg/rfcs/pull/106). Actually, you shouldn't be using yarn v1 anymore.4 -
yarn check
never was implemented to be a security feature. It's a feature to verify if the installation was done successfully (github.com/yarnpkg/rfcs/pull/106#p...). This is how would it be in a secure way: docs.npmjs.com/about-registry-sign...5 - Yarn audit USES the npm's audit database (github.com/yarnpkg/yarn/blob/158d9...). yarn does this in a very ineffective way, by the way, if compared with npm way, cause the uses only the database and npm really checks for version, integrity and signing.
npm ALWAYS checks for integrity when installing packages. Ask apologies to your readers, update the post summing up the
yarn install
+yarn check --integrity
times to have a more real case approach.And, please, RTFM before shitpostting.
Really Sorry My man, Just trying to do better.
If some of you need to use different package managers, I recommend looking at the swpm Switch Package Manager project.
You always write the same command no matter the Package Manager and it will translate the command according to the Package Manager used on the project.
Supports: npm, yarn, pnpm and bun
Goddamn I was waiting for your comment. Wherever there is a conversation about package manager I see this. Guys this swpm can be really helpful. :)
I created nstl a while ago that is similar to swpm.
This comic speak with the wise of the universe. 😅
This should be the case with NPM too, if you delete the lockfile it should install the latest version.
On the other hand, if you want consistency, having a 3.0.1 version(fe) installed locally and then CI installs 3.1.1 even though lockfile specifies 3.0.1 is def inconsistent.
is the yarn described v1 or v3/berry?
dev.to/raxraj/why-upgrade-to-yarn-...
@holiq I just published this one. I'll be glad if you take a look on that.
Thanks mate!
I was taking about yarn v1
Can you compare it with yarn v3/berry too?
Sure Can do!.. I will get on it today.
I have to admit Yarn has good features.
Regarding lockfiles, all 3 supports the feature.
It is often overlooked like your example of the 'no more reproducible state of installation', npm can install the same state using the ci command, and pnpm by providing the --frozen-lockfile option to install command.
It's an other discussion that Yarn behaves like this by default.
Also regarding the offline mode, each can cache the downloaded packages, tough sure they handle them with different approach.
One key differentiator that I'm missing here tough is the workspaces feature. For that I'm sure Yarn has a solid lead and in fact most of the points the author made here are serving this feature.
@dannystyleart Great points!!
Apparently you haven't used PNPM, and missed a few cons for yarn. Here is my take on why I use pnpm over yarn and npm.
Awesome article, I guess I need give pnpm a serious try.
Сongratulations 🥳! Your article hit the top posts for the week - dev.to/fruntend/top-10-posts-for-f...
Keep it up 👍
Awesome. Thanks for writing about this
Love to yarn
Yarn and knit! lol
Your analysis is nice, however I think some points are missing:
I agree! Thanks. I would love to be more comprehensive next time.