typedigital
Career Icon
Carreer

Icon Team
Team

Icon Operation
Our approach

Jetzt kontaktieren
On the photo there is a setup with monitors an laptops. On the screen there a plenty of codes.

it knowledge

04.06.2024

npm, yarn, pnpm

Profile picture of Andreas Kottre

Andreas Kottre

CEO & Technical Lead

Let's connect on LinkedIn

npmn, yarn, pnpm: A comparison of the common JS package managers

<h2>What are package managers?</h2> <p>Basically, it is a software tool that can be used to manage the dependencies in the code. For example, package managers are able to install or update software dependencies. The whole process is fully automated and saves the developer a lot of work while reducing human errors.</p> <p>The dilemma that most developers find themselves in is choosing the right package manager. To give you an overview of the most common products, this article compares them with each other. The focus is on comparing performance, security and support. At the end of this article, you will be able to decide which of the package managers you should definitely give a try.</p> <h3>Npm</h3> <p>This is a package manager that comes with Node.js as standard. As Node.js is used in the backend and JavaScript in the frontend, npm has also become a useful tool here and has established itself as the standard. It was initially developed by Isaac Schlueter, who quickly realised that the demand for his product was very high. He therefore founded the company "npm inc" in 2014. npm now has the largest open source repository with over 350,000 packages.</p> <p>The advantages of npm include the automatic generation of the package-lock.json file. This enables other developers to install the dependencies locally on their machines on their computers. Since all versions of the modules are documented in the file, developers are able to install the same dependencies locally. The file can simply be created automatically by npm using the command npm install --package-lock. Furthermore, npm makes it easy to manage local or global dependencies. It is also possible to manage several versions of dependencies at the same time.</p> <h3><strong>Yarn</strong></h3> <p>Yet Another Resource Negotiator is the result of a co-operation between Google, Facebook, Exponent and Tilde. It was developed to solve problems at the time that npm could not solve yet. The most important goal was to solve security and performance problems in large code bases.&nbsp;</p> <p>Yarn offers developers who work with it many advantages. For one thing, it solves problems that would occur in a monorepo when working with npm. One of the classic problems here is updating the package.json of several packages. With npm you would have to update each file individually. However, if you work with yarn, all files are updated with just one command in a repository. Another big advantage is the offline cache mechanism. This ensures that when you install a package for the first time, it is stored in the cache. This means that you don't have to reinstall the packages for every project, because if you need the package somewhere else, it is retrieved from the local cache. In addition, Yarn offers a built-in licence manager. The manager checks in projects whether all licences for the various packages are available. This can be very useful when developing applications commercially.</p> <h3>Pnpm</h3> <p>Pnpm was also developed to counteract the disadvantages of npm. For this reason, pnpm was also based on the idea of npm. Pnpm is compatible with npm. For this reason, most of the commands in pnpm are structured very similarly to those in npm, while still offering certain improvements. For example, packages are installed in a specific location thanks to a content-addressable file system. The module directories are referenced by so-called symlinks. This means that packages that are identical are no longer installed locally several times, but are reused. This means that you do not always have to download them again for each project and the memory is used more efficiently. In addition, it was very important in the development of pnpm to eliminate security vulnerabilities. For this reason, a strict access control mechanism was developed. This ensures that only dependencies that are defined in the package.json file are accessed.</p> <h2>Comparison of the Package Managers</h2> <h3>User-friendliness</h3> <p>Basically, all three package managers operate in the same way. This is because the basic structure of the pnpm and yarn managers was built on npm. For this reason, most commands have a very similar structure.</p> <p><img src="https://typedig.uber.space/assets/c24226a9-17b2-4b7f-997c-3df850f35c14?width=1318&amp;height=410" alt="Bildschirmfoto 2022 03 16 Um 09.54.45 (1)"></p> <p>When it comes to the CLI (Command Line Interface) of a package manager, all three also have a similar structure. The only thing that stands out is that both pnpm and Yarn look a little more modern than npm. However, this does not change the user-friendliness.</p> <h3>Performance</h3> <p>In terms of speed, the package managers npm and Yarn share second place. For a long time, Yarn was significantly faster than npm, but npm has recently closed the gap to Yarn. First place goes to pnpm by a considerable margin. The package manager is up to three times faster than the other two.</p> <p>Pnpm and Yarn offer users the offline download functionality. This useful function enables packages to be installed without the need for an internet connection. &nbsp;Because the packages are installed locally, they are pulled from memory instead of being downloaded from the Internet again and again. This means that it is no longer necessary to download the packages again for each new project.</p> <h3>Security issues</h3> <p>Unfortunately, there have been several security problems with npm in the past. As a result, several projects were directly affected. Attackers were able to change the owners of various packages. Furthermore, the developers themselves were also attacked. The EventStream package was able to steal bitcoins from the local machine without the developers themselves realising it. Even if npm is not so strict with security problems, this also offers certain advantages. It allows you to work with packages that are considered bad if necessary.</p> <p>For these reasons, Yarn has a much stricter security policy. In Yarn, published packages must first be verified using checksums. Checksums are a character string that is created by applying a mathematical algorithm to the content of the file. This enables you to check whether two files are the same or not. The whole thing happens before the code is executed. This avoids any possibility of packet hijacking.</p> <h3>Support for monorepos</h3> <p>Monorepos are often favoured by larger technology companies. The two package managers Yarn and Pnpm fully support them. However, npm was developed to manage individual projects. For this reason, there are no functions to support monorepos yet.</p> <h2>Conclusion</h2> <p>For smaller projects, npm is a great way to get started. It is not without reason that it is one of the most widely used package managers in the world. However, you should always keep the disadvantages in mind and switch to another one in good time for the given project. If you are looking for a fast and efficient storage manager, pnpm is suitable.</p> <p>If you are looking for how to manage a monorepo, the two package managers pnpm and Yarn are suitable. Both managers are able to fulfil the requirements of a monorepo. However, you should always bear in mind that Yarn comes from Facebook and always sends user data to Facebook.</p> <p>&nbsp;</p>

Learn agile Management

Book Workshop now
Profile picture of Andreas Kottre

Have we inspired your curiosity?

Let´s create something big together!

Contact us

Andreas Kottre

CEO & Technical Lead

Icon phone

0821 74775507

icon calendar

Termin vereinbaren