Package Manager Rumble

This post compares package management systems for JavaScript, including npm, Yarn, Bower and jpsm.

Along with the discussion of how to use JavaScript comes the discussion of package managers. Modules help us utilize tooling we and other developers make because WHY would you spend time re-writing something that already exists and works well?? If that question has not popped into your head or been repeated in a team meeting at least once in 2017, you might be doing it wrong. Just sayin'.

Thankfully, we have teams creating better and better experiences for us to install and organize these modules. npm, Yarn and Bower are still the leaders of the pack…age management tools, but I also wanted to throw in jspm. With close to two million installs this year, jspm is still going strong. Now, this isn't going to be a package manager brawl, despite the title of this post. I'll give you the info and you can decide what it means to you. 😘 I'm not going to lie though: I use npm and like their team and what they do a ton. So, if I come across as biased, it's probably because I am.

The Digits

Let's first take a look at the comparative installs for the year. There seems to be an almost steady level of separation between each of these package managers. npm still has a large lead over yarn but is less than double the installs of Bower. One of the first things that caught my eye is the obvious pattern of hill-like install stats. Although jspm looks to be skimming the bottom, it still reached nearly two million installs this year.

https://npm-stat.com/

npm

45,073,457 installs

It's pretty clear to see that there were many aspects of Yarn that users liked: the speed, the lockfile…

TODO: what other aspects?

😛just kidding! Although that really was my note, thank TJ VanToll for recognizing the comedic spin. Jokes aside, Yarn got a ton of attention last year because of its Facebook backing and solutions to npm users sore spots like slow installs and errors caused by package version inconsistencies.

In response, npm released version 5, which was packed with fun things. One of the main focuses of this release was increasing their speed, which, of course, prompted amazing blog post titles like, "npm@5 — Yarn killer" by Nikhil John. With this update npm is noticeably faster.

Look at that speed!

This update also included a package.lock file which has the same benefits of the yarn.lock file, keeping your package versions consistent, and removed npm-shrinkwrap. They brought on a --save default to any package you install, which saves you those, oh-so-important keystrokes 😉. One of my favorite additions is npm's npx package runner. One nifty thing that npx allows you to do is use packages on a per-project basis instead of having to save packages to your machine globally. There is much more to it though, check out the awesome Kat Marchán's post to learn more. There are also more features in general on version 5, you can check out their blog for more information.

yarn

11,851,948 installs

Even with the updates in npm 5, Yarn is still faster. Oh, you want to see the speed comparison updated on the daily? Well, Thomas Schaaf has just the thing. That's right, here he has a Google doc with daily speed comparison updates.

https://github.com/thomaschaaf/npm-vs-yarn

Yarn is on version 1 and stays fast by caching packages and using parallel operations. Caching downloaded packages also means that you have them available whether or not you have a network connection. Yarn also focused on security using checksums (basically, the outcome of an algorithm comparing information you generate and information provided by the package to make sure they match) to verify packages before you execute its code.

There has been some hesitance to adopt Yarn because it is a newer technology but since it's created and backed by Facebook, it makes the choice less risky than most young technologies. Although npm seems to have nearly four times as many installs as yarn, it is important to note that yarn does not recommend installation via npm.

Note: Installation of Yarn via npm is generally not recommended. When installing Yarn with Node-based package managers, the package is not signed, and the only integrity check performed is a basic SHA-1 hash, which is a security risk when installing system-wide apps.

For these reasons, it is highly recommended that you install Yarn through the installation method best suited to your operating system.

yarn installation guides

Tune in next year to see what happens for yarn in the year 2018, dun dun duuuuun 😋.

Bower

28,133,666 installs

This was a much larger number of installs than I would have ever guessed, coming in second overall and doubling yarn's numbers. Bower is still the most popular frontend specific package manager BUT, while it is still being maintained, the Bower team is recommending users switch to using Yarn and Webpack. In October of this year, Adam Stankiewicz made a post on the Bower blog on how to migrate off of Bower pointing to his repo, bower-away, that he had created in July. Yet, this year's install numbers show Bower with over double the amount of installs of Yarn, so we'll see how that goes. 🤔 If you feel like cozying up for a long read, check out this closed issue discussing whether or not to deprecate Bower.

I'm not sure which of these dogs I relate to more.

One thing they may not be considering is how many users are installing Bower based on a tutorial they're following and are never actually visiting their page. Since this message to the public is pretty recent we can take look at the numbers next year to see the impact it had.

jspm.io

1,941,913 installs

In their words, "jspm is a package manager for the SystemJS universal module loader, built on top of the dynamic ES6 module loader." It can load any module format (ES6, AMD, CommonJS and globals) straight from any registry, like npm and GitHub. jspm does not seem to have much GitHub love in the form of forks and stars but there is consistent activity throughout this year. With nearly two million downloads this year and consistently staying between ~150k and 200k monthly downloads throughout the year, it seems like jspm has staying power.

provided by npm stats

The Other Ones

Okay, chunking these all together may seem harsh but, let's be honest, people aren't using them as much as npm, Bower, yarn or jspm.

Which other ones you may ask? Today, we're going to look at three that are currently doing the best in installs this year: component, pnpm and ied. If we take a look at the charts, provided by npm stats (yes, just like yarn, these can all be installed using npm), pnpm is towering over the other two. I also wanted to show a chart looking at monthly downloads starting at February 2015. In this chart it looks as if component and ied have hit their peak and are slowly dying down whereas pnpm is on an upward trajectory. Let's briefly dig into each project.

provided by npm stats

provided by npm stats

pnpm - 334,497 installs: By far the most installs of these "others" package management libraries and is the youngest of the bunch having its first commit in January of 2016. It focuses on speed leveraging disk space efficiency and is actively being worked on. It currently seems to be worked on actively, having a commit every few days or so.

component - 35,340 installs: This project is deprecated and hasn't had a commit in 2 years, yet still has over 35,000 installs this year.

ied - 22,522 installs: Touts being "like npm, but faster" and had its first commit back in August of 2015. It is specifically for Node, has some killer ASCII art but hasn't had a commit in over a year.

Only the future can really say what will happen to these brave "other" libraries. Although, it's probably safe to say that component and ied may eventually fade away never to make it into the top package manager section. It is the open-source world though, so never say never.

So the package manager battle wages on but when it comes down to it, we have options for really great package management tools. Isn't that the way it should be? You tell me. I'm just happy to have a great way to install all the the things I need to build all the weird app ideas I have in my head!

Related: Look at this great list of package managers.

Conclusion

In 2017, ECMAScript continued its small but impactful deliveries, the package manager race continues to make our experiences better, we have some great tools to make JavaScripting a tidbit easier and we have more ways to utilize the advancements of the modern web. 2017 was pretty crazy but look at all these bright spots we have in our JavaScript world. That's right, I'm an optimist! There are bound to be many more things to talk about in a year's time but, for now, let's be thankful JavaScript has survived another year without burning everything to the ground 😛