Rumble Package Manager – DZone Web Dev


Along with the discussion of using JavaScript comes the discussion of package managers. Modules help us use the tools that we and other developers make, because WHY would you spend time rewriting something that already exists and works well? If this question didn’t occur to you or was not repeated in a team meeting at least once in 2017, you might be wrong. I’m just saying.

Fortunately, we have teams that create better experiences for us to install and organize these modules. npm, Yarn, and Bower are still the leaders in package management tools, but I also wanted to add jspm. With nearly two million installs this year, jspm is still going strong. Now, this isn’t going to be a package manager brawl, despite the title of this article. I will give you the info and you can decide what it means for you. I’m not going to lie though: I use npm and I love their team and what they do a lot. So if I sound biased, it’s probably because I am.


Let’s take a look at the comparative installations of the year first. There seems to be an almost constant level of separation between each of these package managers. npm still has a big lead on the wire, but is less than twice Bower’s installs. One of the first things that caught my eye was the obvious pattern of the hill-shaped setup stats. While jspm appears to be shaving the bottom, it still hit nearly two million installs this year.

It’s pretty clear to see that there were many aspects of Yarn that users loved: the speed, the lock file …

TODO: what other aspects?

I laugh! Although this is really my rating, thank you TJ VanToll for recognizing the comedic side. Joking aside, Yarn garnered a ton of attention last year due to its Facebook support and solutions to npm user trouble spots like slow installs and errors caused by package version inconsistencies.

In response, npm released version 5, which is full of fun stuff. One of the main goals of this release was to increase their speed, which, of course, sparked some amazing blog titles like “npm @ 5 – Yarn killer” by Nikhil John. With this update, npm is significantly faster.

Look at this speed!

This update also included a package.lock file which has the same advantages as the thread.lock file, keeping your package versions consistent, and removing npm-shrinkwrap. They brought a --save defaults to any package you install, which saves you those all-important keystrokes. One of my favorite additions is npm’s npx package manager. One cool thing that npx lets you do is use per-project packages instead of having to save packages to your machine globally. There is much more to do, check out Kat Marchán’s impressive article for more. There are also more features in general on version 5, you can check their blog for more information.


11,851,948 installations

Even with updates in npm 5, Yarn is still faster. Oh, want to see the daily updated speed comparison? Well, Thomas Schaaf has just what it takes. That’s right, here it has a Google docs with daily speed comparison updates.

Yarn is on version 1 and stays fast by caching packages and using parallel operations. Caching downloaded packages also means that you have them available whether or not you have a network connection. Yarn also focused on security by using checksums (essentially, the result of an algorithm comparing the information you generate and the information provided by the package to make sure it matches) to verify packages. before executing its code.

There has been some reluctance to embrace Yarn as it is a newer technology, but since it is created and supported by Facebook, the choice is less risky than most young techs. Although npm appears to have almost four times as many installs as wire, it is important to note that wire does not recommend installing through npm.

To note: Installing Yarn via npm is generally not recommended. When installing Yarn with node-based package managers, the package is not signed and the only integrity check performed is a basic SHA-1 hash, which is a security risk when installation of system-wide applications.

For these reasons, it is strongly recommended that you install Yarn through the installation method best suited to your operating system.

wire installation guides

Tune in next year to see what’s happening to the thread in 2018.


28,133,666 installations

This was a much larger number of installs than I ever imagined, coming in second overall and doubling the number of threads. Bower is still the most popular frontend-specific package manager BUT, while still being maintained, the Bower team recommends users upgrade to Yarn and Webpack. In October of this year, Adam Stankiewicz posted an article on Bower’s blog on how to migrate out of Bower, highlighting his repo, bower-away, which he created in July. Still, this year’s install numbers show Bower has more than double the number of Yarn installs, so we’ll see how that plays out. If you’re in the mood to relax for a long read, check out this closed issue to discuss Bower’s Depreciation or not.

I don’t know which of these dogs I relate to the most.

One thing they might not consider is how many users install Bower based on a tutorial they take and never actually visit their page. Since this message to the public is fairly recent, we can look at the numbers for next year to see the impact it has had.

1,941,913 installations

In their words, “jspm is a package manager for the SystemJS universal module loader, built on top of the ES6 dynamic module loader.” It can load any module format (ES6, AMD, CommonJS and globals) directly from any registry, like npm and GitHub. jspm doesn’t seem to have much love for GitHub in the form of forks and stars, but there is constant activity throughout this year. With nearly two million downloads this year and consistently hovering between ~ 150,000-200,000 monthly downloads throughout the year, it looks like jspm remains powerful.

provided by npm stats


Okay, lumping them all together might sound harsh, but let’s be honest, people don’t use them as much as npm, Bower, fil, or jspm.

Which others can you ask? Today, we’re going to take a look at three that are doing the best in terms of installs this year: component, pnpm, and ied. If we take a look at the graphs provided by the npm statistics (yes, just like the thread, they can all be installed using npm), pnpm dominates the other two. I also wanted to show a chart looking at monthly downloads from February 2015. In this chart it looks like components and ied have peaked and are slowly declining as pnpm is on an upward trajectory. Let’s take a quick look at each project.

pnpm – 334,497 installs: By far the most installs of these “other” package management libraries and is the youngest of the bunch to have its first commit in January 2016. It focuses on speed by optimizing l efficiency of disk space and is actively worked. It currently appears to be actively working, with a commit every few days or so.

Component – 35,340 installs: This project is obsolete and has not had a commit for 2 years, but still has over 35,000 installs this year.

ied – 22,522 installs: all being “like npm, but faster” and had their first commit in August 2015. It is specifically for Node, has killer ASCII art but has not had a commit for over a year.

Only the future can really tell what will become of these brave “other” libraries. However, it is probably safe to say that component and ied can eventually disappear and never appear in the top section of the package manager. This is the open source world, so never say never.

So the package manager battle continues, but at the end of the day we have options for some really good package management tools. Isn’t that the way it should be? You tell me. I’m just happy to have a great way to install everything I need to create all the weird app ideas I have in mind!

Related: Check out this excellent list of package managers.


In 2017, ECMAScript continued with small but impactful releases, the race for package managers continues to improve our experiences, we have great tools to make JavaScript easier, and we have more ways to use the advancements of the modern web. . 2017 was pretty crazy, but look at all these bright spots that we have in our JavaScript world. It’s true, I am an optimist! There’s bound to be a lot more to say in a year but, for now, let’s be thankful that JavaScript has survived another year without burning everything.


Comments are closed.