Tackling issues with the venerable NPM JavaScript package manager, Facebook is open-sourcing its Yarn package manager.
Developed in collaboration with engineers from Google, Tilde, and Exponent, Yarn can be used with every major JavaScript framework; thus, every JavaScript engineer who relies on shared dependencies in the ecosystem can pull code faster. Developers using Yarn can install packages significantly faster than with NPM and manage dependencies consistently across machines or in secure offline environments.
"We've used the NPM client successfully at Facebook for years, but as the size of our code base and the number of engineers grew, we ran into problems with consistency, security, and performance," Facebook engineers Sebastian McKenzie, Christoph Pojer, and James Kyle said in a jointly authored statement. "After trying to solve for each issue as it came up, we set out to build a new solution to help us manage our dependencies more reliably."
While NPM has been dependable, it can break down in large-scale code bases, Facebook said. Yarn replaces NPM in existing workflows while maintaining access to the popular NPM registry.
Many Facebook projects, such as the React JavaScript library, depend on code in the NPM registry, the engineers said. Yarn has the same feature set as existing workflows while operating faster and more securely. It imposes strict guarantees around package installation, and on some Facebook projects, it has reduced installation times from several minutes to seconds, the engineers said.
"At Facebook, we're already using Yarn in production," noted the engineers, "and it's been working really well for us. It powers the dependency and package management for many of our JavaScript projects. With each migration we've enabled engineers to build offline and helped speed up their workflow. You can see how install times for Yarn and NPM compare on React Native under different conditions, which you can find here."
The Node.js Foundation, which oversees the development of the Node.js JavaScript platform, lauded the investment in Yarn. "JavaScript and Node.js have grown tremendously over the last few years," said Mikeal Rogers, community manager of the foundation. "As enterprises increasingly leverage Node.js to scale and meet the needs of today's mobile and device-driven world, the demands on the package ecosystem continue to grow as well."
Npmjs.com, which provides the NPM registry, is paying close attention to Yarn. "We haven't had time to run extensive tests on the compatibility of Yarn," the company noted, "but it seems to work great with public packages. It does not authenticate to the registry the way the official client does, so it's currently unable to work with private packages. The Yarn team is aware of this issue and have said they'll address it."
Yarn also offers another take on NPM's shrinkwrap feature and "clever" performance work, Npmjs said. "We've also been working on these specific features, so we'll be paying close attention."
Npmjs raised the question of whether Yarn was forking the community, but noted Yarn users remain part of the NPM community and Yarn was not a fork. "Yarn publishes to NPM's own registry by default, so Yarn users continue to be part of the existing community and benefit from the same 350,000-plus packages as users of the official NPM client. Yarn pulls packages from registry.yarnpkg.com, which allows them to run experiments with the Yarn client. This is a proxy that pulls packages from the official NPM registry, much like npmjs.cf."