Use yarn to manage dependencies

[Borewit]

Background

Based on a disussion started here, I propose to continue the discussion here.

Do we want to check in a lock file?

And if we do, which one?

Do we want to:?

1. Ignore the lockfile, less configuration control, less security checks on dependencies, but more flexibility in using whatever local package manager you want use local.
2. Use npm, the original package manager shipped with Node
3. Use yarn, a very popular deterministic package manager developed by Facebook in collaboration with Exponent, Google, and Tilde.

Votes:

no-lock-file	NPM	Yarn
@jimmywarting	@jimmywarting	@Borewit
		@sibiraj-s

Pending / not clear: @mathiasvr

[Borewit]

In addition to the benefits I already mentioned:

I am big opponent from every NPM module which require to be installed globally. You need a very justification to break out of your module scope to be installed globally, and need be non intrusive towards any other module. I noticed that yarn is close to be part of the from the core node & npm distributions. Yarn is probably, which has a good reason to be part of your global "toolbox".

Why?

1.) As developer I experience yarn more reliable in installing / updating the dependencies after running yarn install, as a bonus it I believe it is faster. We all know we run into certain point where we have to delete node_module, my impression is that with yarn is more strict in translating the dependency requirements into installing required dependency, and is much more unlikely you run into that situation (but only if use yarn solely to take care of the dependencies). Jumping from one branch to another, this can be huge benefit, which we do on this project with PR's coming from all directions.

2.) Yarn is more strict in the interpretation of version requirements, therefor it is less likely your code breaks due to some update which was not there before. Which improves configuration management control.

Draw-backs?

Sure, different character. Due to strict interpretation of the version, you need to pursue update versions more often, it doesn't automatically update package.json with patched version after an install.

Give it try yourself, you will have to get used to the command arguments which are a bit different.

Using yarn made working with local checked out dependencies so easy.
I maintain music-metadata, and some dependencies of music-metadata. I need to be able to test my changes to an end-user application like webtorrent during development.
Yarn made it so easy to link and unlink to a local checked out dependecy. Especially under Windows this used to be very painful.

[mathiasvr]

Using yarn made working with local checked out dependencies so easy.

Is this similar to npm link? And if not, do you have an example?

Generally, I think we need more examples of how yarn could be an improvement, because it can be difficult to compare them based on opinion.

Also, I just want to note that I don't have a personal preference and is fine with either, I just have more experience with npm. If more people would prefer yarn, that's fine with me.
However, it is my impression that the differences between the two since npm v5 are minimal.

[jimmywarting]

So far I only hear positive feedback about yarn from two yarn user so it seems very opinion to me too.

Would like to hear some more cons about yarn (if any) and why some still use NPM, or has recently switched to yarn or gone back and why.

Have you recently benchmarked with latest npm and or npm ci?

---

while we are comparing npm and yarn - why don't we throw in pnpm to the mix also? that is also yet another package mananger

---

Speaking for myself:

• I'm Strong believer in that NPM will (or already has) catch up with imporvment & speed
• Installing node comes with NPM, so why would i need yet another package manager when they body solve the same task?
• If the decision is to move to yarn don't you force ppl to install yarn as well?
  • It would be okey if they work differently by mange cache, offline & speed as long as they agree upon a lock format that works for both, meaning yarn and npm can both use the same package-lock.json file (but they don't). Then the user on the other end could have choose there own package manager as they would like to use

just some small research:
https://mixmax.com/blog/to-yarn-and-back-again-npm
https://iamturns.com/yarn-vs-npm-2018/

---

My philosophy have been to stick with what i know and will last forever and don't follow in one others footstep.

NPM is here to stay and will always be shipping along side with NodeJS

For example: Learning CoffeeScript would have been a mistake and updating to es6/7 would be fun. The thing is, they will always be one step behind with JavaScript. Sure they may add features but when javascript changes then CoffeeScript needs to follow.

I'm also just waiting until the day javascript adds type support... Making TypeScrip obsolete and unnecessary. have fun updating (I'm sticking with js).

[sibiraj-s]

the lock file was updated 8Months back. Also the repo existed without it for a long time

Why not add no lock file to this discussion. Use what ever we want. We can stay upto date. Less maintenance of packages. With Greenkeeper, even that burden will be reduced too.

At this point all package managers are aware of how dependencies are handled based on semver. We can avoid version ranges for those libs don't follow semver

Plus, After NPM 6, I don't feel much difference between npm and yarn. but when comes to comparison between two. I vote yarn.

[Borewit]

I have to admit that I did not use npm a lot recently, so it may be that they have catched up on things I am not yet aware of.

Is this similar to npm link? And if not, do you have an example?

git clone https://github.com/Borewit/music-metadata.git
cd music-metadata
# yarn install and yarn build would be required to get it to work
# The following step only has to be done once, as long as the local path remains the same
yarn link

cd ..

# Now you can use the local dependency anywhere you like
git clone https://github.com/webtorrent/webtorrent-desktop.git
cd webtorrent-desktop
yarn link music-metadata

Looking at npm link, that looks pretty similar. For some reason I was strugling with npm, and it seems work as it should with yarn.

Why not add no lock file to this discussion.

Fair point @sibiraj-s; I updated the issue description.

[Borewit]

why don't we throw in pnpm to the mix also?

@jimmywarting because you are not planning to use it.

What is your final vote Jimmy?

[jimmywarting]

can i have 2 vote? either no-lock or npm

[sibiraj-s]

decided?

[Borewit]

I don't see a collective thumbs of for yarn, so I guess we continue with npm and the corresponding lockfile.

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.