Difference between NPM and YARN

Gunjeev Singh
Last Updated: May 13, 2022

Introduction

Whether you have just started developing React or Node projects or have been building them for quite some time, it is almost certain that you have used NPM or YARN to maintain the packages and dependencies your project uses. Do not panic if you do not know what packages or dependencies are; we will look at these aspects as this blog progresses.

 

Before diving right into learning more about NPM and YARN, and their differences, let us look at some terms that we need to be familiar with first. 

Packages and Dependencies

Learning about package managers is only productive if, first, we establish what packages and dependencies mean. 

 

Packages and Dependencies are, as the name suggests, files or bundles of files that your project needs to run. For example, if you start a new react-app, you would find a folder called node_modules. This folder contains all the node modules that are required for your project to run.

 

The file structure of a new “create-react-app” project showing node_modules

 

If you look inside this folder, there are many files that are just the ones that are included when the project is set up for the first time. As you continue working on the project, the number of package dependencies will increase. Hence, managing them gets exceedingly complicated. This is why we need package managers. By managing dependencies, we mean installing, deleting, or updating them.

NPM and YARN

NPM stands for Node Package Manager. It is a Javascript package manager and the default for the runtime environment NodeJS. NPM is installed when NodeJS is installed on a machine. It comes with a command line interface (CLI) which is used to interact with the online database of NPM. This database is called the NPM Registry, and it hosts public and private 'packages'. To add or update packages, we use the NPM CLI to interact with this database. 

 

To know more about NodeJs, check out the blog What is Node.js? Where, When & How To Use It?

 

YARN stands for Yet Another Resource Negotiator. Just like NPM, YARN is also a package manager for public or private packages hosted on online databases. YARN was initially developed by developers at Facebook but now is open source (YARN repository). 

Essentially, both these package managers do the same job for you, i.e., help you manage your project dependencies. 

 

This raises a very basic question, if we already had NPM, why would we need YARN?

YARN was developed to overcome the performance and security issues that NPM had at that time. Since then, even NPM developers have raised the game and both the package managers have almost reached feature parity. Even then, there are some core differences between them in terms of installation, locking, and usage. We will now look at all of them.

Installation 

While NPM is installed when you install NodeJS, we need to manually install YARN.

 

Installing YARN -

// The --global flag ensures that yarn is installed globally so that we can use it in all projects.

npm install yarn --global 

 

YARN can be installed using the npm CLI as shown above. 

Locking Mechanism

Before discussing how these package managers are different regarding their file locking mechanism, let us first understand what locking is. Locking in this context refers to making a file with entries of all packages and dependencies installed in the project and their versions. This is important because when multiple people work on the same project, complications may arise if different people use different versions of the dependencies. 

 

NPM makes a package-lock.json file. This file contains entries of all dependencies used along with their versions. This file ensures that the directory and file structure in the node_modules folder are the same across all project versions.

 

An example of a package-lock.json file

 

YARN has a yarn.lock file, which is auto-generated when the project is initialized. This file also, just like the package-lock.json file, keeps track of the dependencies and “locks” their versions to a project. The yarn.lock file helps in the easy merge of packages and dependencies in the required folders.

 

An example of a yarn.lock file 

 

If you notice carefully, you will notice how the architecture of both the files differs from each other. While the package-lock file has a stricter architecture, the yarn.lock file uses the easy merge approach to increase simplicity, speed, and ease of access.

Fetching Packages

Whenever we use the CLI to add new packages to our project, there is a difference between how NPM and YARN act on it. While NPM fetches packages from the online npm registry for every ‘install’ command, YARN stores dependencies locally in most cases and fetches packages from a local disk, given that dependency has been installed earlier. This makes YARN considerably faster than NPM when it comes to fetching packages.

Security and Licencing 

Security becomes an important parameter when we compare YARN and NPM. Initially, Facebook introduced YARN because it covered the security lapses in NPM, but since then, NPM has had strong security updates.

 

If we add or install packages with security vulnerabilities in both the package managers, we are automatically given warnings for the same.

 

YARN does have some extra edge, though. This comes with the feature of licensing. We can use YARN to check the licenses of the various packages installed as:

yarn licenses list

 

This produces a neat output listing all licenses like:

 

Output log for “yarn licenses list”

 

Output Log

Another important factor that differentiates NPM from YARN is the output log. NPM has a very raw output log, while on the other hand, YARN's output log is extremely neat and readable. While NPM's logs are nothing but stacks of NPM commands, YARN's output logs are brief and given out tree form. Given below are examples of the output logs of both the package managers for the same command.

 

NPM

 

YARN

Table of Commands

The following table enlists some commonly used commands syntax in both NPM and YARN.

 

Purpose

yarn

npm

To add/install new packagesyarn add package_namenpm install package_name
To install dependenciesyarnnpm install
To uninstall packagesyarn remove package_namenpm uninstall package_name
Globally Install a packageyarn global add package_namenpm install -g package_name
To view a packageyarn info namenpm view name
To install a dev packageyarn add name -devnpm install name -save-dev
To Update a dev package

yarn upgrade name

yarn upgrade name@version

npm update name

npm update name@version

 

Common Commands

The following table enlists the commands which are common to both NPM and YARN.

 

Purpose

yarn

npm

To initialize a projectyarn initnpm init
To run a scriptyarn run {script name}npm run {script name}
To test the dependenciesyarn testnpm test
To Publish the projectyarn publishnpm publish

 

Frequently asked Questions

 

  1. What is a lock file?

A lock file is an auto-generated file with details about all the packages, dependencies, and versions used in your project. NPM locks the dependencies in a package-lock.json file, while YARN locks them in a yarn.lock file.

 

2. What is the use of the yarn 'why' command?

Another advantage of YARN over NPM is the 'why' command. The 'why' command in YARN is used to check the role of a particular dependency in your project.

 

Key Takeaways

Both NPM and YARN are useful package managers with powerful CLIs and great functionalities. While NPM was initially the only option and dominated the swarm of Javascript developers, YARN has quickly gained popularity among developers of today.

 

Now that you have a thorough understanding of the two best package managers out there, you are on your way to becoming great Javascript developers. You can start your Javascript journey here or MERN stack journey here!

Was this article helpful ?
0 upvotes