- Products
Platforms
- Resource
Company
Help
Education
Software Development Executive - II
Last updated on Jul 29, 2024
Last updated on Jan 30, 2024
JavaScript package managers play a pivotal role in web development. They are tools that automate installing, upgrading, configuring, and consistently removing computer programs. They are critical in managing the numerous packages developers use to build complex applications.
Three prominent package managers have gained popularity in the JavaScript community: NPM, Yarn, and PNPM. Each package manager has unique features and capabilities that make them suited to different projects and teams.
As the name suggests, NPM (Node Package Manager) is a package manager for the JavaScript runtime environment Node.js. It comes bundled with Node.js, so when you install Node.js, you automatically get NPM installed on your computer.
1# To install a package using NPM 2npm install <package_name> 3
Yarn is a new package manager developed by Facebook in response to some of the problems they faced with NPM, particularly regarding speed, security, and reliability. Yarn introduced some new features unavailable in NPM, such as offline package installation and deterministic dependency resolution.
1# To install a package using Yarn 2yarn add <package_name> 3
PNPM is another package manager that aims to solve some of the issues associated with NPM and Yarn. It uses a different approach to manage node modules that save disk space and provide better performance.
1# To install a package using PNPM 2pnpm add <package_name> 3
The need for better performance, security, and ease of use has primarily driven the emergence of these new package managers. They all aim to simplify managing project dependencies and ensure that the same packages are installed in the same structure every time across all environments.
NPM (Node Package Manager) is the default package manager for Node.js, a JavaScript runtime environment. It is an automatic public registry that shares standalone JavaScript modules with the world. NPM allows developers to install other people’s code packages into their projects, which can be a significant time-saver.
1# To check the installed npm version 2npm -v 3
The npm install command is used to install a package and installs all the package's dependencies. When you run npm install <package_name>, NPM downloads the package and its dependencies into the node_modules directory. If there is a package.json file in the root directory of your project, NPM will also update this file to include the newly installed package.
1# To install express module using npm 2npm install express 3
NPM has a robust system for identifying and handling bad packages. If a package is found malicious or broken, NPM provides mechanisms to report such packages, and once verified, they are removed from the registry. However, it's essential to understand that the responsibility of avoiding malicious packages also lies with the developers by checking package credibility before installing.
1# Checking a package's credibility can be done by looking at its details 2npm view <package_name> 3
NPM uses a nested dependency tree model, meaning each package can have its own set of dependencies, and those dependencies can have their dependencies, forming a tree-like structure. This model ensures that each package has the exact version of its dependencies it was designed to work with.
1# To list installed packages and their dependencies 2npm list 3
Due to its nested dependency tree model, NPM may use considerable disk space. If multiple packages depend on the same package but different versions, NPM will download and store each version separately, leading to potential disk space inefficiency. However, this approach ensures that each package operates with specified dependencies without conflicts.
1# To check the size of node_modules directory 2du -sh ./node_modules 3
Facebook introduced yarn to address some of the issues they faced with NPM, particularly speed, security, and reliability. The first version of Yarn, now known as Yarn Classic, offered features like offline package installation and deterministic dependency resolution, providing a significant performance boost over NPM.
However, the Yarn team continued. They introduced Yarn Berry, the second major version of Yarn, with improved features and architectural changes. Yarn Berry introduced a new feature called Plug'n'Play (PnP), which fundamentally changes how Yarn installs dependencies, leading to better performance and less disk space usage.
1# To check the installed yarn version 2yarn -v 3
The yarn add command is used to install a package using Yarn. Like NPM, it downloads the package and its dependencies into the node_modules directory. However, Yarn also creates a yarn.lock file which ensures the same dependencies are installed across all environments.
1# To install express module using yarn 2yarn add express 3
Unlike NPM, Yarn uses a flattened dependency tree model. This means Yarn tries to install all dependencies at a single level, reducing the duplication of packages and saving disk space. However, it can lead to version conflicts if multiple packages depend on the same package but require different versions.
1# To list installed packages and their dependencies in Yarn 2yarn list 3
Yarn's flattened dependency tree model makes it more disk space-efficient than NPM. It avoids duplicating packages, which can significantly reduce the size of the node_modules directory.
Yarn Berry introduced the Plug'n'Play (PnP), eliminating the node_modules directory. Instead of installing each package's files to a node_modules directory, Yarn PnP creates a single .pnp.js file containing a map of package names to package locations on the disk. This approach leads to installation times and faster disk space usage.
1# To enable PnP in a new Yarn Berry project 2yarn set version berry 3yarn config set pnpMode loose 4
PNPM, standing for Performant NPM, is a JavaScript package manager that aims to solve some of the issues associated with NPM and Yarn. It can be a drop-in replacement for these tools while providing better performance and disk space usage. PNPM uses a unique approach to manage node modules, which makes it highly disk efficient.
1# To check the installed pnpm version 2pnpm -v 3
PNPM uses a global store approach where all packages are stored in a single place on the disk. When a package is installed, PNPM links files from the global store to the project's node_modules folder. This approach eliminates the need for copying packages to each project, saving a significant amount of disk space.
PNPM handles duplicate packages efficiently. If multiple projects on the same machine depend on the same package version, PNPM will store the package only once in the global store and link it to each project. This approach saves disk space and speeds up the installation process.
1# To list installed packages and their dependencies in PNPM 2pnpm list 3
While PNPM uses a non-flat node_modules structure, it also provides a flattened view of the dependencies. This flattened view, also known as a "lockfile", ensures that the same dependencies are installed across all environments.
1# The pnpm-lock.yaml file shows the flattened view of the dependencies 2cat pnpm-lock.yaml 3
PNPM's approach to package management makes it highly disk efficient. The global store and the linking of packages result in less disk space usage, faster installation times, and efficient handling of duplicate packages.
When comparing NPM, Yarn, and PNPM, several key differences and similarities emerge:
The open nature of JavaScript package managers comes with a potential risk - the threat of installing malicious packages. These are packages that may contain harmful or exploitative code. When included in a project, they can cause various issues, from data breaches to system crashes. Therefore, developers must inspect and ensure the credibility of packages before integrating them into their projects.
All major package managers - NPM, Yarn, and PNPM - have mechanisms in place to handle security vulnerabilities. They provide means to report such packages, and once verified, these packages are removed from the registry. Additionally, they offer audit tools that can automatically scan for known vulnerabilities in the installed packages.
1// To audit packages for known vulnerabilities in NPM 2npm audit 3 4// To audit packages for known vulnerabilities in Yarn 5yarn audit 6 7// To audit packages for known vulnerabilities in PNPM 8pnpm audit 9
The lockfile plays a crucial role in preventing security breaches. It ensures that the same dependencies are installed across all environments, reducing the risk of installing unexpected or malicious package versions. Therefore, it's recommended to commit the lockfile to the version control system to ensure consistent installations.
The future of JavaScript package managers looks promising. With continuous improvements and new features added to NPM, Yarn, and PNPM, developers have various powerful tools. The competition among these tools also drives innovation, leading to better and more efficient ways to manage JavaScript packages.
In conclusion, NPM, Yarn, and PNPM have strengths and weaknesses. NPM is the most widely used and bundled with Node.js, making it a safe and reliable choice. Yarn offers innovative features like workspaces and deterministic installs, making it suitable for large-scale projects. PNPM stands out for its disk space efficiency, which can be a deciding factor for projects with many dependencies. Ultimately, the choice between NPM, Yarn, and PNPM will depend on your specific needs and circumstances.
Tired of manually designing screens, coding on weekends, and technical debt? Let DhiWise handle it for you!
You can build an e-commerce store, healthcare app, portfolio, blogging website, social media or admin panel right away. Use our library of 40+ pre-built free templates to create your first application using DhiWise.
