Node Package Manager (npm) is one of several package managers (default for Node.js) released in 2010. It is used to manage dependencies for packages.
npm consists of:
- The npm’s website makes it possible to find third-party packages, create and manage your packages;
- npm CLI;
- The registry represents a huge database of public and open-source private JavaScript packages online.
What is package.json?
You can copy any JavaScript project as an npm package containing information and a package.json job to describe the project. The package.json file is generated when npm init is running for initialization by your JavaScript or Node.js project with developers-provided baseline metadata: `name`, `version`, `description`, and `license`.
The package.json file additionally features a script property for running command-line tools installed in the project’s local context. You can execute all of these by running `npm run-script <stage>` or `npm run <stage>` for short. You can run scripts from dependencies with `npm explore <pkg>` or `npm run <stage>` for short.
With the recent addition of `npx` (Node Package Executor), these project-related node_modules commands can be run just like a globally installed program.
Dependencies or devDependencies?
They are represented as key-value objects, where the key is the names of the npm libraries and the value is their semantically formatted versions.
Install dependencies using the npm install command with the `–save` and `–save-dev`. They are intended for use in environments such as production and Javascript development/testing.
Understanding possible signs that come before semantic versions (assume that you are acquainted with the `major.minor.patch` model of the server) is important:
`^` – latest minor release.
`~` – latest patch release.
What is package-lock.json?
The package-lock.json file defines the exact dependencies versions of the npm JavaScript project. The package.json is a descriptive common shortcut, so the package-lock.json is a table of ingredients.
The package-lock.json is typically created by the `npm install` command or `npm ci` for short.
More information about npm commands you can find here.
What are the differences between npm and yarn?
Let’s have a quick look at what is yarn. Yarn (or Yet Another Resource Negotiator) launched in October 2016 and is an NPM package for projects using Node.js packages. The yarn was developed to hide the weaknesses and bugs of npm packages as it is quick, stable, and secure. Likewise, it has a lock file that keeps versions of packages stably running in an identical project on multiple systems.
Now let’s compare yarn and npm
- Although Yarn is newer than npm, it appears to be more widely used and popular than npm.
- npm doesn’t need to be installed because it’s included in the sub-core of Node.js. The yarn is a package of npm, so it can be installed with the command `npm install yarn`.
- Both yarn and npm use similar management methods for dependencies. Both provide a package.json file in the root of the project’s working directory. All required project-related metadata is stored in this file. It helps to manage the dependencies versions of the project, scripts, etc. For both batch managers, the dependencies files are stored in the node_modules folder. In Yarn 2 this folder will by default not be supported anymore. Yarn and npm both provide an automatically generated lock file (yarn.lock and package-lock.json) with records of the exact versions of the dependencies used in the project.
- Security stands as another major point contributing to the yarn and npm. The yarn was originally considered more secure and the npm has been very successful in adding security enhancements.
These packages are both perfectly designed to manage and maintain your project’s dependency hierarchy. They have a great and supportive community. In conclusion, the choice between npm and yarn depends on your specific preferences and project requirements.