59

Recently I tried installing my Node packages with Yarn. It works great and it's a lot faster than NPM. Yarn automatically generates yarn.lock. We already have NPM shrinkwrap (npm-shrinkwrap.json).

Is there any difference between them? Does yarn.lock has any advantage over npm-shrinkwrap.json?

Aurora0001
  • 13,139
  • 5
  • 50
  • 53
Fizer Khan
  • 88,237
  • 28
  • 143
  • 153

2 Answers2

55

The yarn.lock file is quite similar to other package managers' lock files, especially Rust's Cargo package manager, which has Cargo.lock. The idea of these lock files is to represent a consistent set of packages that should always work.

npm stores dependency ranges in the package.json file, which means that when someone installs your package, they might get a different set of dependencies to you, since you might be running outdated packages (although they still satisfy the dependency range you specified). Take, for example, someone who has specified the dependency "foo": "^1.0.0". They might have actually installed foo v1.0.1, because that was the latest when they ran npm install, but later on, someone installs your package and gets the dependency foo v1.1.0. This might break something unexpectedly, which can be avoided if you have a yarn.lock file which guarantees consistent package resolution.

As for comparison with npm shrinkwrap, the documentation explains it very clearly:

It’s similar to npm’s npm-shrinkwrap.json, however it’s not lossy and it creates reproducible results.

The documentation also advises committing yarn.lock to your repositories, if you're not already doing this, so you can reap the benefits of consistent and reproducible package resolution. This question also explains further why you should do this.

The lossy behaviour of npm shrinkwrap is due to the non-deterministic algorithms used by npm itself; as stated in the comments of another answer, npm shrinkwrap > npm install > npm shrinkwrap is not guaranteed to produce the same output as just shrinkwrapping once, whereas Yarn explicitly uses "an install algorithm that is deterministic and reliable".

Community
  • 1
  • 1
Aurora0001
  • 13,139
  • 5
  • 50
  • 53
  • 11
    I thought the purpose of npm-shrinkwrap was to lock the dependencies. Can you explain how/why npm-shrinkwrap is lossy? – styfle Oct 19 '16 at 16:24
  • 2
    The [shrinkwrap docs](https://docs.npmjs.com/cli/shrinkwrap) make it sound like it is not lossy: "it's desirable to fully specify each version of each dependency recursively so that subsequent builds and deploys do not inadvertently pick up newer versions of a dependency that satisfy the semver pattern" – styfle Oct 19 '16 at 17:35
  • Trying to think of a simpler feature than adding a lock-box to peg a set of package versions... but failed to come up with anything. I mean, you can simply filter the package.json, stripping its range characters, thus pinning versions to an exact number. I shall call him "tangle". cat package.json | tangle > package.pinned.json – Rick O'Shea Jan 19 '17 at 23:21
  • 9
    "As for comparison with npm shrinkwrap, the documentation explains it very clearly: It’s similar to npm’s npm-shrinkwrap.json, however it’s not lossy and it creates reproducible results." That's not clear at all, though. Shrinkwrap is not actually lossy, and shrinkwrap's entire purpose is reproducibility. It's just vague and incorrect unverifiable claims. – John Haugeland Jul 18 '17 at 16:17
  • 3
    The description of [package locks](https://docs.npmjs.com/files/package-locks) in the NPM docs makes `package-lock.json` sound almost identical to a `yarn.lock` in terms of purpose. Is this now just a case where Yarn had a good idea and NPM has now implemented it? – Scribblemacher Sep 08 '17 at 11:58
  • Crickets for a question posed in yarn's github: https://github.com/yarnpkg/website/issues/509 – Johntron Oct 02 '17 at 14:47
5

Is there any difference between them

Yarn follows a more deterministic algorithm, compared to npm shrinkwrap. If you're using Yarn, continuing to use shrinkwrap would be counter-intuitive

You can find this in the documentation for yarn.lock:

It’s similar to npm’s npm-shrinkwrap.json, however it’s not lossy and it creates reproducible results

However, the question still remains whether yarn is production ready. There are still a bunch of glaring bugs open on the GitHub repo, so I would wait it out for a month or so.

nikjohn
  • 20,026
  • 14
  • 50
  • 86
  • 7
    Whay does it mean that shrink-wrap is lossy ? – Willem D'Haeseleer Oct 15 '16 at 18:02
  • 1
    That means `npm shrinkwrap` > `npm install` > `npm shrinkwrap` yields different npm-shrinkwrap files that the initial time around – nikjohn Oct 16 '16 at 19:20
  • 7
    Is there evidence of this behavior? Per NPM shrinkwrap docs "running npm install with no arguments will merely reproduce the existing shrinkwrap." (ref: https://docs.npmjs.com/cli/shrinkwrap) – Curtis Patrick Nov 14 '16 at 16:07
  • 1
    @CurtisPatrick from npm shrinkwrap docs: ```If you wish to lock down the specific bytes included in a package, for example to have 100% confidence in being able to reproduce a deployment or build, then you ought to check your dependencies into source control, or pursue some other mechanism that can verify contents rather than versions.``` – taminov Dec 11 '16 at 17:22
  • 3
    @taminov Does that mean the only difference is compiled code? Npm shrinkwrap will always download the same source deterministically, but any code that requires compilation is re-compiled each time? Does yarn lock compiled binaries too? – limscoder Apr 24 '17 at 21:59
  • 1
    "Is there evidence of this behavior?" <- that – Johntron Oct 02 '17 at 14:49
  • @limscoder This comment thread dead ends the same as a similar yarn github issue. Did u find an answer to your question abt compiled code? https://github.com/yarnpkg/website/issues/509 – Luke W Jan 20 '18 at 23:57
  • The comments about npm shrinkwrap being "lossy" may be based on [this comment](https://github.com/yarnpkg/yarn/issues/838#issuecomment-253171977), and [this thread](https://github.com/yarnpkg/yarn/issues/41) that it links to. – Venryx Nov 21 '21 at 16:37