Facebook and Google released Yarn yesterday—a new package manager that uses npm's registry but promises faster, more reliable, more secure installations. The collaboration between tech giants and focus on npm's pain points suggests npm has serious problems.
Whether Yarn succeeds depends on execution and whether developers tolerate another package manager.
What Yarn Fixes
Yarn addresses npm's known issues:
Speed: Yarn caches every package downloaded. Subsequent installs are significantly faster—sometimes 10x.
Reliability: Yarn uses lockfiles (yarn.lock) ensuring identical dependencies across machines. npm's lockfiles (package-lock.json) don't exist yet.
Security: Yarn checksums packages to verify integrity. npm doesn't.
Offline: Yarn installs from cache work offline. npm requires network.
Determinism: Same package.json + yarn.lock produces identical node_modules every time. npm's non-determinism causes "works on my machine" issues.
These aren't minor improvements—they're solving fundamental npm problems.
The Speed Difference
Yarn's speed is immediately noticeable:
# npm (first install)
npm install # 60 seconds
# yarn (first install)
yarn # 45 seconds
# npm (second install, cache cleared)
npm install # 60 seconds
# yarn (second install, cache exists)
yarn # 5 secondsThe caching makes subsequent installs dramatically faster. In CI environments where you rm -rf node_modules and reinstall frequently, this saves substantial time.
The Lockfile Reliability
yarn.lock records exact versions and checksums:
package@^1.0.0:
version "1.2.3"
resolved "https://registry.npmjs.org/package/-/package-1.2.3.tgz"
integrity sha1-abc123...This ensures:
- Same dependencies everywhere (dev, CI, production)
- No surprise updates from semver ranges
- Verifiable package integrity
- Reproducible builds
npm's shrinkwrap tried to solve this but was complex and often broken. Yarn's lockfile just works.
The API Compatibility
Yarn uses npm's registry and package.json format. This means:
- Existing packages work unchanged
- Migration is
yarninstead ofnpm install - Can switch back to npm anytime
- No ecosystem split
This is crucial. Yarn isn't forking npm's ecosystem—it's compatible client.
The Facebook+Google Collaboration
Yarn's development involved Facebook, Google, Exponent, and Tilde—companies normally competing. This collaboration signals shared pain with npm.
These companies run npm at scale and hit its limitations hard:
- Facebook: Thousands of developers, massive monorepos
- Google: Similarly massive internal usage
- They needed better tool and built it
What npm Is Doing Wrong
Yarn's existence is indictment of npm's pace:
Slow to address known issues: Lockfiles, security, speed—these are old problems. npm acknowledged them but didn't fix them fast enough.
Performance stagnation: npm 3 helped but npm installs remain slow. Yarn's speed proves better is possible.
Reliability problems: "Delete node_modules and reinstall" shouldn't be common debugging step. But it is.
Enterprise needs unmet: Companies need reliable, secure, fast package management. npm didn't prioritize this.
npm's Response Options
npm can:
- Dismiss Yarn: Ignore it, hope it fails. Risky—Yarn addresses real pain.
- Compete: Improve npm's speed, reliability, security. This should have happened years ago.
- Adopt Yarn's ideas: Implement lockfiles (they're working on it), improve caching, add checksums.
- Collaborate: Work with Yarn team. Unlikely given competitive dynamics.
Most likely: npm accelerates development, implements features Yarn has. Competition is good for users.
Migration Considerations
Switching to Yarn is low-risk:
- Uses same package.json
- Uses same registry
- Commands are similar (
yarn addvsnpm install) - Can switch back anytime
But considerations:
Team buy-in: Entire team must use Yarn or yarn.lock diverges
CI/CD changes: Build scripts need updating
Tool support: Some tools assume npm. Yarn compatibility varies.
Stability: Yarn is new (v0.15 at launch). Bugs exist.
For teams hitting npm pain points, experimenting with Yarn is reasonable. For teams where npm works fine, waiting makes sense.
The Lockfile Culture Change
Yarn makes lockfiles required, not optional. This is good but cultural shift:
- Lockfiles must be committed (always)
- Updates are explicit (
yarn upgrade) - Conflicts in lockfiles need resolution
- Lockfile changes are code review item
Teams used to letting npm resolve versions need to adjust to explicit version control.
Performance Impact at Scale
For large projects and CI, Yarn's benefits compound:
Monorepos: Projects with hundreds of packages benefit significantly from Yarn's caching and performance.
CI builds: Every build reinstalls dependencies. Yarn's cache makes this much faster.
Docker layers: Yarn's determinism means better layer caching in Docker builds.
Developer time: Faster installs mean less waiting. This adds up across team.
What Could Go Wrong
Yarn's risks:
npm registry dependency: Yarn relies on npm's registry. If npm blocks Yarn (unlikely but possible), problems.
Maintenance burden: Another tool to maintain, update, support. Is community sustainable?
Feature divergence: If Yarn and npm diverge significantly, ecosystem fragments.
Compatibility breaks: Yarn's npm compatibility could break with npm changes.
These aren't immediate concerns but long-term questions.
Looking Forward
Yarn's success depends on:
- Reliability: Does it actually solve problems better than npm?
- Adoption: Do teams switch and stay switched?
- npm's response: If npm matches Yarn's features, why switch?
- Community: Does ecosystem support Yarn long-term?
My prediction: Yarn accelerates npm improvements. Whether Yarn itself becomes standard or just pushes npm to improve, users win.
Competition in package management is healthy. npm's monopoly wasn't serving users well. Yarn's challenge forces improvement.
Resources:
