Every team has to make various decisions before, and during, the development of a digital product. One of these usually involves yarn
, npm
or another tool to build and package javascript code. Some developers have a burning desire to go in a certain direction, and sometimes they end up spending a considerable amount of time trying to make decisions that in fact will have little impact in their everyday life.
3 min read
ยท
By Charlie Midtlyng
ยท
December 10, 2019
To understand why this is an interesting decision to make in the first place, we need to have a look at the history of package management in javascript.
npm
: frontend dependencies are downloaded manually and stored into the repositories ๐npm
is released and supports nodejs
๐ฆnpm
usage is dramatically increasing - primarily due to Browserifys
browser support ๐npm
get a competitor, bower
, that entirely supports browsers ๐ปnode_modules
โข๏ธrm -rf node_modules
the most frequently used command as a frontend developer..? ๐bower
lose the battle against npm
๐node_modules
are changed to a (more) flatten file structure! ๐ธleft-pad
becomes the worldwide news of the day ๐yarn
is released ๐npm
and bower
repositoriesyarn.lock
locks installed versions and provide deterministic dependencies. No more rm -rf node_modules
!yarn install
spend about half the time versus npm install
(without using cache)npm
releases shrinkwrap
๐งฏnpm
5 is released ๐package-lock.json
is their new tool, shrinkwrap
is put asidepackage-lock.json
take on the fight against yarns
lock filenpm ci
is released ๐ฌpackage-lock.json
directlynpm
6 is released ๐ฎโโ๏ธnpm
check security vulnerabilities for dependencies to be installedyarn
and npm
tink
is in beta mode ๐ฆnode_modules
and rather have one file with hashes for each dependency in the projectAs we can see, after the release of yarn
, npm
has been inspired (and forced?) to develop lots of good tools and mechanisms. yarn
should get credit for addressing some important problems related to npm
and put pressure on their competitor back in 2016. Both speed, security and deterministic package handling are essential features that allow today's developers to focus and concentrate on creating value - and not fighting the tool.
For convenience, I would recommend most teams (who have to make numerous other and more important technologically decisions) to choose the easiest option - npm
. It is shipped with node
and is, in 2019, sufficient enough to handle package management in a good manner.
When using monorepo, yarn workspaces
is a popular alternative whereas npm
doesn't offer an equivalent alternative. lerna
is a package that also supports usage of monorepos and works with both npm
and yarn
(with workspaces
)
PS: It should be mentioned that pnpm
is the third option for package management. pnpm's
selling point is not downloading a package if it is already downloaded in another repository - which is similar to dependency management in Java, maven
. At the time of writing, pnpm
is not as mature and production-ready as yarn
or npm
Loadingโฆ
Loadingโฆ