Why wouldn't I use npm to install yarn?

node.js npm npm-install yarnpkg
Chris Arnesen picture Chris Arnesen · Oct 13, 2016 · Viewed 47.6k times · Source

In the blog post announcing yarn (an alternative npm client) they say, "The easiest way to get started is to run npm install -g yarn". But if you go to the "install yarn" page in their docs, "npm install yarn" isn't listed on any of the platform-specific installation pages, and it's only offered as the third of three options on the "Alternatives" page. Furthermore when you npm install yarn it prints a deprecation warning, "It is recommended to install Yarn using the native installation method for your environment." So my question is if npm install is the easiest installation method, why isn't it a recommended method in their docs? Are there disadvantages to installing yarn using npm?

Answer

Mike Hill picture Mike Hill · Apr 12, 2017

Edit (2020/11/23):

Thanks to @Kissaki for providing an update on Yarn's advice in the comments.

As of Yarn 2.x, the Yarn team has altered their advice and now suggests installing the tool via npm. This advice centers around the advantages of locking the version of Yarn used on a per-project basis. This allows projects to be resilient to variations between versions of Yarn.

From the new Yarn "Installation" page:

Using a single package manager across your system has always been a problem. To be stable, installs need to be run with the same package manager version across environments, otherwise there's a risk we introduce accidental breaking changes between versions - after all, that's why the concept of lockfile was introduced in the first place! And with Yarn being in a sense your very first project dependency, it should make sense to "lock it" as well.

For this reason, Yarn 2 and later are meant to be managed on a by-project basis.

This is similar to other methods of locking build tool versions on a per-project basis. See the Gradle Wrapper for an example.

The advantages of a standalone Yarn installation fall apart rather quickly, particularly with the Yarn team's change in direction. Installing via npm is now suggested, and instructions for standalone installations no longer appear to be offered on their site as of Yarn 2.x.

Original Answer:

According to the Yarn project maintainers, installing Yarn via npm goes against the goals of the project, can cause issues, and is, in general, worse than platform-specific installation methods.

Advantages to recommended platform-specific installation:

  • The Yarn teams regards npm as insecure and unreliable. From the "Install via npm" section on Yarn's "Installation" page:

Note: Installation of Yarn via npm is generally not recommended. Installing Yarn with npm is non-deterministic, the package is not signed, and the only integrity check performed is a basic SHA1 hash, which is a security risk when installing system-wide apps.

For these reasons, it is highly recommended that you install Yarn through the installation method best suited to your operating system.

  • Running Yarn, which is a separate package manager utility, via npm can lead to edge-case issues (see issue 2072)
  • Installing via a system package manager decouples Yarn from npm, allowing you to run Yarn without npm
  • The system package manager typically runs regularly, keeping Yarn updated
  • Installing Yarn via npm is slow

Advantages to npm install -g yarn:

  • Quick and easy (npm install -g yarn)
  • Can be done in any npm environment (platform-agnostic)
  • Familiar paradigm and process for Node.js developers
  • Can be easily updated (npm update -g yarn)
    • A Yarn update command exists (yarn self-update) but it seems to be broken
  • No dependence on system package managers
  • Can use different versions of Yarn for different projects or different versions of Node.js via nvm

The system package manager arguments for the recommended installation tend to break down when referring to Windows, where there is no official package manager (unless you count Windows Update). Also, Windows package managers such as Chocolatey are often not configured for automatic updates.

I'm not sure that I fully agree with the Yarn team's decision on this, but they do make some fair points. The Yarn project is still young and if it is to become a replacement for npm then it wouldn't make sense to encourage npm as its primary installer.

Regardless, installations via npm seem to work just fine for now in most cases.

Sources:

Related questions

How to ignore incompatible engine "node" error on installing npm dependencies with yarn?

Given this package.json: { "name": "yarn-install-fail", "version": "1.0.0", "description": "", "main": "index.js", "scripts": {}, "author": "", "license": "ISC", "dependencies": { "aws-sdk": "2.x.x", "s3-streams": "^0.3.0" } } I can install the dependencies successfully via npm: $ npm install added 27 packages in 1.844s Yet yarn fails: $ yarn install …

Read More
NPM preinstall script

I am trying to run some policing script before any packages are installed. For Example: { "name": "pre-hook-check", "version": "1.0.0", "description": "", "main": "index.js", "scripts": { "test": "echo \"Error: no test specified\" && exit 1", "preinstall": "echo preinstall", "postinstall": "echo postinstall" }, "author": "", "license": "…

Read More
How to solve npm error "npm ERR! code ELIFECYCLE"

I'm trying to learn react, so I have this sample code for the full-stack react voting app, and I am trying to get it to work but after running npm install followed by npm start I receive the following error …

Read More