Yarn is a fast, reliable, and secure dependency management tool that is used to manage project dependencies in JavaScript and Node.js environments. It caches every package it downloads, so it never needs to download the same package again. It also parallelizes operations to maximize resource utilization, and it uses checksums to verify the integrity of every installed package before its code is executed.
Adding a dependency
This command adds the lodash package to the project's dependencies.
yarn add lodashUpgrading a dependency
This command upgrades the react package to its latest version according to the version range specified in the package.json file.
yarn upgrade reactRemoving a dependency
This command removes the moment package from the project's dependencies.
yarn remove momentInstalling all dependencies
This command installs all the dependencies listed in the project's package.json file.
yarn installLocking down dependency versions
This command installs dependencies based on the yarn.lock file without generating a new lock file, ensuring reproducibility across installations.
yarn install --frozen-lockfilenpm is the default package manager for Node.js and is bundled with it. It serves a similar purpose to Yarn, allowing users to install, share, and manage dependencies in their projects. Compared to Yarn, npm has a different CLI syntax and handles package installations and lock files differently. npm has improved its performance in recent versions, but Yarn is often cited for its faster and more reliable installations due to its caching and parallelization features.
pnpm is another alternative to Yarn that focuses on performance and disk space efficiency. It uses a content-addressable filesystem to store packages, which means that a package version is saved only once on a disk and then hard-linked into the node_modules directories of projects that use it. This results in faster installations and less disk space usage. pnpm also has a strictness that prevents implicit dependencies, which can lead to more predictable and secure projects.
Fast, reliable, and secure dependency management.
Fast: Yarn caches every package it has downloaded, so it never needs to download the same package again. It also does almost everything concurrently to maximize resource utilization. This means even faster installs.
Reliable: Using a detailed but concise lockfile format and a deterministic algorithm for install operations, Yarn is able to guarantee that any installation that works on one system will work exactly the same on another system.
Secure: Yarn uses checksums to verify the integrity of every installed package before its code is executed.
Read the Installation Guide on our website for detailed instructions on how to install Yarn.
Read the Usage Guide on our website for detailed instructions on how to use Yarn.
Contributions are always welcome, no matter how large or small. Substantial feature requests should be proposed as an RFC. Before contributing, please read the code of conduct.
See Contributing.
Yarn wouldn't exist if it wasn't for excellent prior art. Yarn has been inspired by the following projects:
Thanks to Sam Holmes for donating the npm package name!
FAQs
📦🐈 Fast, reliable, and secure dependency management.
We found that yarn demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 6 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
PyPI confirms no security flaws were exploited in the Ultralytics supply chain attack and highlights improvements for safer package publishing.
Security News
Research
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Research
Security News
Attackers used a malicious npm package typosquatting a popular ESLint plugin to steal sensitive data, execute commands, and exploit developer systems.