Which Node.js package manager tools to use?

Everything in JavaScript world moves fast in comparison. Libraries and frameworks often fighting hard to dominate one another, in order to win the hearts of developers. Today let's discuss the positions of npm, yarn and a challenger called pnpm. Both yarn and pnpm were announced around the same time, only difference being Yarn was backed by Facebook and it gained traction much faster.

Performance

It is probably safe to say that pnpm > yarn > npm based on the stats released by pnpm official site.

react-app

Of course there could be biases here, but the source code for the benchmark was released on Github so anyone can go and take a look.

If you are working on a personal project that has a lot of dependencies, and build time is painfully long. Then pnpm could be a valid choice here.

Update (3rd Apr 2019): It seems like Yarn has also added the ability to do package security auditing, see offical doc. So there is even less reason to pick npm over yarn.

Features

pnpm has been compared to npm and yarn in these articles written by the author of pnpm , the articles are pnpm vs Yarn: monorepo node_modules and Why should we use pnpm? respectively.

It seems all three solutions offer similar key features, such as generating a lock file to ensure consistent dependency creation across different machines and environments. They are ultilise

Security

NPM security is a much bigger concern nowadays especially with the incidents such as "event-stream@3.3.6 (Sep - November)". So I have seperated it out from the Features section, to discuss this on its own.

There are currently two ways of getting notified of package vulnerabilities:

npm has some basic checks baked into npm audit (free)
Snyk is a open source tool that does what npm audit does plus more (free only for open source)

Even though npm hasn't got the best performance, but it is the default node package manager (it's even in the name) used across platforms. For example, if you use npm then Github can alert you when they detect vulnerabilities in our package dependencies. This feature is not avialable for yarn or pnpm. One of the main reasons I'd consider npm would be the ability to quickly and easily audit dependencies.

Of course the same could be achieved if Snyk is used somewhere in the pipeline, one might even argue this provides better audit than npm's solution. If, however, a project is private (not open source) then this would become more costly ($599+) depending on the team size. For a company that's able to make revenue off the product this might not be a very high cost, but for individual developers creating private personal projects this could be too much to consider. Then npm would be the only viable solution.

Maybe it is worth using npm on the side of yarn or pnpm just for its npm audit feature? It is worth mentioning the main reason to move to another package manager is for its speed improvements. Since npm audit requires package-lock.json to function and building it is very time intensive. If npm was added to a build pipeline purely for its security audit feature then the overall build time would be increased instead of decreased. At this point, it might be worth just taking a hit and say it is okay for the build to take 10 - 30s more, by getting some better security check in return.

Final Thoughts

Out of these three options, my personal recommendation is to use npm . Not only because it comes with Node by default, which saves an additional step when you are setting up your machine but shortens CI pipeline builds. Since it is widely used and seen as the default package manager, so you do not get some of the benefits e.g. npm audit and Github's vulnerabilities alerts.

When there are so many moving parts in the mordern frontend application already, it feels nice to not stress about another thing when developing software.