Which Node.js package manager tools to use?
It is probably safe to say that
pnpm > yarn > npm based on the stats released by pnpm official site.
Of course there could be biases here, but the source code for the benchmark was released on Github so anyone can go and take a look.
If you are working on a personal project that has a lot of dependencies, and build time is painfully long. Then
pnpm could be a valid choice here.
Update (3rd Apr 2019): It seems like Yarn has also added the ability to do package security auditing, see offical doc. So there is even less reason to pick
It seems all three solutions offer similar key features, such as generating a lock file to ensure consistent dependency creation across different machines and environments. They are ultilise
NPM security is a much bigger concern nowadays especially with the incidents such as "firstname.lastname@example.org (Sep - November)". So I have seperated it out from the Features section, to discuss this on its own.
There are currently two ways of getting notified of package vulnerabilities:
npmhas some basic checks baked into
- Snyk is a open source tool that does what
npm auditdoes plus more (free only for open source)
npm hasn't got the best performance, but it is the default node package manager (it's even in the name) used across platforms. For example, if you use
npm then Github can alert you when they detect vulnerabilities in our package dependencies. This feature is not avialable for
pnpm. One of the main reasons I'd consider
npm would be the ability to quickly and easily audit dependencies.
Of course the same could be achieved if Snyk is used somewhere in the pipeline, one might even argue this provides better audit than
npm's solution. If, however, a project is private (not open source) then this would become more costly ($599+) depending on the team size. For a company that's able to make revenue off the product this might not be a very high cost, but for individual developers creating private personal projects this could be too much to consider. Then
npm would be the only viable solution.
Maybe it is worth using
npm on the side of
pnpm just for its
npm audit feature? It is worth mentioning the main reason to move to another package manager is for its speed improvements. Since
npm audit requires
package-lock.json to function and building it is very time intensive. If
npm was added to a build pipeline purely for its security audit feature then the overall build time would be increased instead of decreased. At this point, it might be worth just taking a hit and say it is okay for the build to take 10 - 30s more, by getting some better security check in return.
Out of these three options, my personal recommendation is to use
npm . Not only because it comes with Node by default, which saves an additional step when you are setting up your machine but shortens CI pipeline builds. Since it is widely used and seen as the default package manager, so you do not get some of the benefits e.g.
npm audit and Github's vulnerabilities alerts.
When there are so many moving parts in the mordern frontend application already, it feels nice to not stress about another thing when developing software.