Category: Package Management

Categories
JavaScript npm Package Management

npm 5: Lockfiles Finally Arrive

npm 5 is shipping with package-lock.json, and the irony isn't lost on anyone. After Yarn forced npm's hand by introducing lockfiles in October 2016, npm is finally catching up. This is competition working exactly as intended—but it also exposes some uncomfortable truths about JavaScript dependencies.

What Changed

npm 5 introduces package-lock.json which locks down the entire dependency tree. Run npm install on any machine with the lockfile, and you get identical versions of every package, including transitive dependencies. This matches what Yarn's yarn.lock has been doing since launch.

{
  "name": "my-app",
  "version": "1.0.0",
  "lockfileVersion": 1,
  "dependencies": {
    "lodash": {
      "version": "4.17.4",
      "resolved": "https://registry.npmjs.org/lodash/-/lodash-4.17.4.tgz",
      "integrity": "sha1-eCA6TRwyiuHYbcpkYONptX9AVa4="
    }
  }
}

The performance improvements are also significant. npm 5 is noticeably faster than npm 4, though still not quite matching Yarn's speed.

Continue reading “npm 5: Lockfiles Finally Arrive”
Categories
JavaScript Package Management Tooling

Yarn: npm Has Competition

Facebook and Google released Yarn yesterday—a new package manager that uses npm's registry but promises faster, more reliable, more secure installations. The collaboration between tech giants and focus on npm's pain points suggests npm has serious problems.

Whether Yarn succeeds depends on execution and whether developers tolerate another package manager.

What Yarn Fixes

Continue reading “Yarn: npm Has Competition”