问题描述

我想问一下你最喜欢JS的包管理器是什么？
我看到一些关于纱线和npm的文章。但我不确定对我来说什么更好。我刚开始学习JS。

I want to ask what is your favorite package manager for JS ?I saw some articles about yarn and npm. But I am not sure what can be better for me. I just start learning JS.

现在纱线和npm之间的区别对我来说就像可乐品牌之间的区别。

Right now difference between yarn and npm is for me like difference between brands of cola.

推荐答案

有时候我们只有 npm 但它解决了依赖关系和缓存这么多问题，而另一个工具已经诞生了（纱）。通常它使用本地缓存来解决依赖关系，例如，在运行CI作业时这是至关重要的，这些作业几乎总是在相同的环境中运行，而高带宽在您支付云服务中的数据时成本很高。这意味着在旧的 npm 版本中，当您运行 npm install 并且您已经使用了deps

There were times when we had only npm but it had so many issues with resolving dependencies and caching that another tool has born (yarn). Usually it was using local cache to resolve dependencies and it was crucial for example while running CI jobs which are almost always ran in same environment and high bandwidth is costly as you pay for data in cloud services. That means in old npm versions when you ran npm install and you had lets in deps

请理解纱是建立在<$的顶部c $ c> npm 软件包和这意味着他们都使用 NPM 注册表来解析包。所以如果你运行 npm install lodash@1.0.0。或 yarn add lodash@1.0.0。你会得到非常相同的结果

Please understand that yarn was built on the top of npm packages and https://www.npmjs.com/ that means they are both using NPM registry for resolving packages. so if you run npm install lodash@1.0.0. or yarn add lodash@1.0.0. you will get very same result

lodash@1.0.0
react@16.0.0


在每个新构建中，两个依赖项再次从Internet下载。 Yarn在下面使用 yarn.lock ，它将 package.json 文件与纱线进行比较。锁定并确定需要另外提取哪些包以仅增量安装新的依赖项

On every new build both dependencies were again downloaded from internet. Yarn uses yarn.lock underneath and it is comparing your package.json file with yarn.lock and determines which packages needs to be fetched additionally to only incrementally install new dependencies

yarn 提供并行安装不依赖于线程的包。从 npm install

yarn offers parallel installation of packages which are not dependent in threads. It can lower installation time to 1/10 of time from npm install

如前所述纱线在每次安装后生成 yarn.lock ，这些版本会持续存在所有版本已安装的软件包（因为您可能知道软件包也可能具有依赖关系，并且依赖关系也可能具有依赖关系）因此它可能会构建无限的依赖关系树，从而导致非常糟糕的冲突。让我们想象一下这个场景

As said before yarn generates yarn.lock after each installation which persists ALL versions of installed packages (as you probably know package can has also dependencies and dependency can have also dependency) so it can build up infinite tree of dependencies which can lead to very bad conflicts. Let's imagine this scenario

app
- lodash ^ 1
- super_module@0.0.1
- - lodash@1.0.0
- another_module@0.0.01
- - lodash@1.xx


想象一下当 another_module 的维护者决定将lodash碰到破坏更改版本 1.2.0 可能发生的情况是过去 npm 可以获取同一个库的2个不同实例，以及2个不同的版本，这可能会导致非常奇怪的行为。因为您的模块中没有确切的锁定（您接受任何semver版本^ 1.xx和^ 2.xx，这意味着两个子模块都可以满足您的要求，但会获取不同的版本。纱线会锁定您的 yarn.lock 在向项目添加新包时，这意味着当您项目中的其他开发人员检查项目时，他也会有相同的 yarn.lock 和 yarn 将最终模仿包裹状态，当你提交 yarn.lock 另一方面 NPM 只关注semver满意度，可以为2位开发者提取2个不同版本（假设时间包正在升级）

Imagine scenario when maintainer of another_module decides to bump lodash to breaking changes version 1.2.0 what can happen is that npm in old days could fetch 2 different instances of same library, and 2 different version which could lead to extremely weird behavior. Because as you don't have exact lock in your module (you accept any semver version ^1.x.x and ^2.x.x so that means both sub modules would satisfie your requirements but fetch different version. Yarn will lock your yarn.lock AT THE TIME OF AN ADDING new package to the project, that means when other developers on your project will checkout the project he will also have same yarn.lock and yarn will ultimately "mimic" the state of package how they were installed when you committed yarn.lock on other hands NPM just looks to the semver satisfaction and can fetch 2 different version for 2 developers (assuming that in time packages are upgrading)

npm 人们做了很多工作因为他们发布了 npm @ 5 而且我认为所有陈述现在都是为什么 yarn 被创建以及它是什么问题的原因在当时解决，但我想在目前的日期，现在这两个人之间没有太大的区别

There has been a lot of work from npm guys as they released npm@5 and I think all statements are now just reasons WHY yarn was created and which problems it was solving at the time, but I think at current date, it is no big difference between those 2 nowadays