Ready to talk package managers? You know, those tools that make your life as a developer so much easier (or sometimes, more frustrating)? Well, we're here to compare the three big players:
It's kind of like choosing your favourite type of pizza - they're all great in their own way, but which one is the best?
Well that's exactly what we're going to do in this blog. Buckle up and grab your favourite snack (pizza or nachos, anyone?) because we're about to dive into the details of each one. Get ready for some fun and maybe even a few surprises along the way!
I decided to put the installation speed of npm, Yarn, and pnpm to the test. I installed Express, Passport, and dotenv using each package manager and waited impatiently for the installations to finish. I was so impressed by how fast they were that I started to suspect they might have secretly installed themselves while I wasn't looking! But in all seriousness, the results were quite interesting. Keep reading to find out which package manager reigns supreme when it comes to installation speed.
With its handy lockfile feature, Yarn speeds up installation time significantly. Sure, npm has been making improvements to its installation speed lately, but it still can't keep up with the lightning-fast Yarn. And while pnpm is also faster than npm, it's not quite as speedy as Yarn. Now, I know what you're thinking - it's just a small difference in speed, right? But trust me, when you're dealing with a massive number of dependencies, Yarn's speed will blow your mind!
Alright, time for a quick lesson in dependency resolution. Yarn, our speedy friend from before, uses a deterministic algorithm that ensures the same set of dependencies are installed on all machines. It's like a reliable GPS that never leads you astray. On the other hand, npm's flat dependency structure can sometimes lead to conflicts. It's like a bad GPS that takes you through the wrong route and leaves you stranded. And then there's pnpm, our adventurous buddy that likes to live life on the edge. It installs dependencies by sharing packages between projects, which can be faster, but can also cause conflicts. It's like a GPS that takes you on a scenic route, but occasionally leaves you lost in the wilderness. I would want to give you a good-old-long example here, but then that will make this blog
lengthy && boring.
But Hey, I have a much simpler explanation. Let's take an example package, "PackageX" (let's call it the POWER PUFF PACKAGE). If you have version 3.0.1 of this package installed and your package.json file specifies a range of 3.x.x, then if you reinstall it using npm, it will keep the same version (no upgrade to 3.4.0, which is the latest version). However, if you use Yarn, it will always install the latest matching version, even if you delete the lockfile. This makes Yarn more consistent in its behaviour, ensuring that you get the latest version of the package every time.
Yarn and pnpm are two package managers that come with a feature that many developers find handy: offline mode. With Yarn or pnpm, you can install packages even if you don't have an internet connection, as long as you have already downloaded the necessary files. This feature can be especially useful if you are working on a project while traveling or in an area with spotty internet connection. However, if you are using npm, you won't have the luxury of an offline mode. That means you'll need a stable internet connection in order to install packages, which can be a bit of a bummer for those who are often on the go.
Yarn's security features are nothing to be knitted about! With its use of checksums to ensure package integrity and a built-in command to audit packages for vulnerabilities, Yarn is a real yarn-spinner when it comes to security. Meanwhile, npm and pnpm's security features are similar but not as tightly knit as Yarn's.
Yarn's checksum feature ensures that the installed package matches the package distributed on the registry. This prevents malicious actors from tampering with the package during transit. To verify a package's checksum, you can run the following command in Yarn:
yarn check --integrity
In addition to checksums, Yarn also has a command for auditing packages for security vulnerabilities. This command checks for known security vulnerabilities in all installed packages and their dependencies. It also suggests steps for resolving any vulnerabilities found.
npm also has a similar npm audit command, but it's not as advanced as Yarn's audit feature. pnpm, on the other hand, relies on npm's security features and doesn't have any additional security measures like checksums.
Listen, if you're anything like me, you don't want to be stuck with just the default registries. Thankfully, all three package managers offer some level of support for custom registries. But let's be real: Yarn has the VIP treatment when it comes to private registries. And with its selective version resolution feature, you can cherry-pick the best dependencies from your favorite registry while still keeping things cozy with the default one. Sorry npm and pnpm, but Yarn's got the hookup.
Check out the Why upgrade to Yarn Berry?