Facebook Open Sources Yarn, a JavaScript package manager


Facebook opened Yarn, a proxy package manager for JavaScript modules stored on the npm or Bower registries.

Facebook has been using the npm client successfully for many years, according to an article written by three of their engineers. Everything went well until their teams and their code bases grew to a point where some “consistency, security and performance” issues started to surface:

Many of our projects on Facebook, like React, depend on code in the npm registry. However, as we grew internally, we encountered consistency issues when installing dependencies on different machines and users, the time it took to extract dependencies, and we had security issues with the how the npm client executes the code for some of these dependencies. automatically.

Facebook mentioned having issues with npm install when executed by a CI tool because their environment is cut off from the Internet for security reasons. The immediate solution was to download separately and include all required modules in the source code of their projects. But updating some modules had a major impact:

For example, updating a minor version of babel generated a hard-to-land 800,000 line commit and triggered lint rules for invalid utf8 byte sequences, Windows line endings, un-overwritten images by png, etc. Merge changes to node_modules would often take engineers a whole day.

The third attempt was to remove the modules from the source code and keep them on an internal CDN. But that meant offering an internet connection to the CI development and build machines, which was not acceptable. Eventually, they decided to create their own package manager called Yarn, which Facebook considers fast, reliable, and secure. And a webpage has been created to highlight the speed differences between npm and Yarn. In most cases, Yarn outperforms npm by 3 to 30 times, but there are a few cases where npm does better. Bugsnag also compared Yarn to npm and they found that Yarn is 11x faster with hot cache.

The wire comes with a number of features:

  • Offline mode: If you have already installed a package, you can install it again without any internet connection.
  • Deterministic: the same dependencies will be installed in exactly the same way on each machine, regardless of the order of installation.
  • Network performance: Yarn efficiently queues requests and avoids cascades of requests to maximize network usage.
  • Network resiliency: The failure of a single request will not cause an installation to fail. Requests are retried if unsuccessful.
  • Flat mode: Resolve mismatched versions of dependencies in one version to avoid creating duplicates.

Another notable feature is that Yarn works with npm and Bower registers.

npm, Inc., the company that manages the npm registry, welcomed Yarn as another addition to existing Node.js managers, noting that while Yarn does grab packages from deregistryarnpkg.com, this repository is a proxy for the official npm registry. Without being specifically mentioned by Facebook, Yarn solves another goal: to have a secure backup of all Node modules in case the npm registry goes down, as happened last spring when npm was down for 2, 5 hours, affecting thousands of developers around the world with a failed build. While Yarn isn’t really needed unless you have the scale and development needs of Facebook, getting the packages from a proxy provides a layer of resiliency in case the original registry would break down.

Facebook has made it known that Yarn is the result of a collaboration with Exponent, Google and Tilde. The code was made available on GitHub under a BSD license.


Comments are closed.