Package Manager Rumble
Package Manager Rumble
Join the DZone community and get the full member experience.Join For Free
Thankfully, we have teams creating better and better experiences for us to install and organize these modules. npm, Yarn and Bower are still the leaders of the pack...age management tools, but I also wanted to throw in jspm. With close to two million installs this year, jspm is still going strong. Now, this isn't going to be a package manager brawl, despite the title of this post. I'll give you the info and you can decide what it means to you. I'm not going to lie though: I use npm and like their team and what they do a ton. So, if I come across as biased, it's probably because I am.
Let's first take a look at the comparative installs for the year. There seems to be an almost steady level of separation between each of these package managers. npm still has a large lead over yarn but is less than double the installs of Bower. One of the first things that caught my eye is the obvious pattern of hill-like install stats. Although jspm looks to be skimming the bottom, it still reached nearly two million installs this year.
It's pretty clear to see that there were many aspects of Yarn that users liked: the speed, the lockfile...
TODO: what other aspects?
Just kidding! Although that really was my note, thank TJ VanToll for recognizing the comedic spin. Jokes aside, Yarn got a ton of attention last year because of its Facebook backing and solutions to npm users sore spots like slow installs and errors caused by package version inconsistencies.
In response, npm released version 5, which was packed with fun things. One of the main focuses of this release was increasing their speed, which, of course, prompted amazing blog post titles like, "npm@5 - Yarn killer" by Nikhil John. With this update npm is noticeably faster.
This update also included a package.lock file which has the same benefits of the yarn.lock file, keeping your package versions consistent, and removed npm-shrinkwrap. They brought on a
--save default to any package you install, which saves you those, oh-so-important keystrokes. One of my favorite additions is npm's npx package runner. One nifty thing that npx allows you to do is use packages on a per-project basis instead of having to save packages to your machine globally. There is much more to it though, check out the awesome Kat Marchán's post to learn more. There are also more features in general on version 5, you can check out their blog for more information.
Even with the updates in npm 5, Yarn is still faster. Oh, you want to see the speed comparison updated on the daily? Well, Thomas Schaaf has just the thing. That's right, here he has a Google doc with daily speed comparison updates.
Yarn is on version 1 and stays fast by caching packages and using parallel operations. Caching downloaded packages also means that you have them available whether or not you have a network connection. Yarn also focused on security using checksums (basically, the outcome of an algorithm comparing the information you generate and information provided by the package to make sure they match) to verify packages before you execute its code.
There has been some hesitance to adopt Yarn because it is a newer technology but since it's created and backed by Facebook, it makes the choice less risky than most young technologies. Although npm seems to have nearly four times as many installs as yarn, it is important to note that yarn does not recommend installation via npm.
Note: Installation of Yarn via npm is generally not recommended. When installing Yarn with Node-based package managers, the package is not signed, and the only integrity check performed is a basic SHA-1 hash, which is a security risk when installing system-wide apps.
For these reasons, it is highly recommended that you install Yarn through the installation method best suited to your operating system.yarn installation guides
Tune in next year to see what happens for yarn in the year 2018.
This was a much larger number of installs than I would have ever guessed, coming in second overall and doubling yarn's numbers. Bower is still the most popular frontend specific package manager BUT, while it is still being maintained, the Bower team is recommending users switch to using Yarn and Webpack. In October of this year, Adam Stankiewicz made a post on the Bower blog on how to migrate off of Bower pointing to his repo, bower-away, that he had created in July. Yet, this year's install numbers show Bower with over double the amount of installs of Yarn, so we'll see how that goes. If you feel like cozying up for a long read, check out this closed issue discussing whether or not to deprecate Bower.
I'm not sure which of these dogs I relate to more.
One thing they may not be considering is how many users are installing Bower based on a tutorial they're following and are never actually visiting their page. Since this message to the public is pretty recent we can take look at the numbers next year to see the impact it had.
In their words, "jspm is a package manager for the SystemJS universal module loader, built on top of the dynamic ES6 module loader." It can load any module format (ES6, AMD, CommonJS and globals) straight from any registry, like npm and GitHub. jspm does not seem to have much GitHub love in the form of forks and stars but there is consistent activity throughout this year. With nearly two million downloads this year and consistently staying between ~150k and 200k monthly downloads throughout the year, it seems like jspm has staying power.
provided by npm stats
The Other Ones
Okay, chunking these all together may seem harsh but, let's be honest, people aren't using them as much as npm, Bower, yarn or jspm.
Which other ones you may ask? Today, we're going to look at three that are currently doing the best in installs this year: component, pnpm, and ied. If we take a look at the charts, provided by npm stats (yes, just like yarn, these can all be installed using npm), pnpm is towering over the other two. I also wanted to show a chart looking at monthly downloads starting at February 2015. In this chart it looks as if component and ied have hit their peak and are slowly dying down whereas pnpm is on an upward trajectory. Let's briefly dig into each project.
pnpm - 334,497 installs: By far the most installs of these "others" package management libraries and is the youngest of the bunch having its first commit in January of 2016. It focuses on speed leveraging disk space efficiency and is actively being worked on. It currently seems to be worked on actively, having a commit every few days or so.
component - 35,340 installs: This project is deprecated and hasn't had a commit in 2 years, yet still has over 35,000 installs this year.
ied - 22,522 installs: Touts being "like npm, but faster" and had its first commit back in August of 2015. It is specifically for Node, has some killer ASCII art but hasn't had a commit in over a year.
Only the future can really say what will happen to these brave "other" libraries. Although, it's probably safe to say that component and ied may eventually fade away never to make it into the top package manager section. It is the open-source world though, so never say never.
So the package manager battle wages on but when it comes down to it, we have options for really great package management tools. Isn't that the way it should be? You tell me. I'm just happy to have a great way to install all the things I need to build all the weird app ideas I have in my head!
Related: Look at this great list of package managers.
Published at DZone with permission of Tara Manicsic , DZone MVB. See the original article here.
Opinions expressed by DZone contributors are their own.