Why wouldn't I use npm to install yarn?

In the blog post announcing yarn (an alternative npm client) they say, "The easiest way to get started is to run npm install -g yarn". But if you go to the "install yarn" page in their docs, "npm install yarn" isn't listed on any of the platform-specific installation pages, and it's only offered as the third of three options on the "Alternatives" page. Furthermore when you npm install yarn it prints a deprecation warning, "It is recommended to install Yarn using the native installation method for your environment." So my question is if npm install is the easiest installation method, why isn't it a recommended method in their docs? Are there disadvantages to installing yarn using npm?

56862 次浏览

Because npm is not platform specific and runs on almost any system it is listed as an Alternative. There is no advantage or disadvantage over the platform specific installs. The difference would be the install location but all methods expose the global yarn command to your CLI.

I would argue they listed it as "the easiest way" because most people are already very familiar with npm.

There's no visible disadvantage to installing Yarn through npm. In fact I chose this method myself because of a few reasons:

  1. It's clearly the easiest way to do it. npm i --global yarn and you can literally replace npm with yarn on your console immediately.
  2. If you're using nvm and maintaining different code projects on each NodeJS version, then you can install Yarn on one version and not have it on the other
  3. Honestly, the only reason I can think of that it is not mentioned in the Platform Specific installs, is that npm is platform agnostic

Edit (2020/11/23):

Thanks to @Kissaki for providing an update on Yarn's advice in the comments.

As of Yarn 2.x, the Yarn team has altered their advice and now suggests installing the tool via npm. This advice centers around the advantages of locking the version of Yarn used on a per-project basis. This allows projects to be resilient to variations between versions of Yarn.

From the new Yarn "Installation" page:

Using a single package manager across your system has always been a problem. To be stable, installs need to be run with the same package manager version across environments, otherwise there's a risk we introduce accidental breaking changes between versions - after all, that's why the concept of lockfile was introduced in the first place! And with Yarn being in a sense your very first project dependency, it should make sense to "lock it" as well.

For this reason, Yarn 2 and later are meant to be managed on a by-project basis.

This is similar to other methods of locking build tool versions on a per-project basis. See the Gradle Wrapper for an example.

The advantages of a standalone Yarn installation fall apart rather quickly, particularly with the Yarn team's change in direction. Installing via npm is now suggested, and instructions for standalone installations no longer appear to be offered on their site as of Yarn 2.x.


Original Answer:

According to the Yarn project maintainers, installing Yarn via npm goes against the goals of the project, can cause issues, and is, in general, worse than platform-specific installation methods.


Advantages to recommended platform-specific installation:

  • The Yarn teams regards npm as insecure and unreliable. From the "Install via npm" section on Yarn's "Installation" page:

Note: Installation of Yarn via npm is generally not recommended. Installing Yarn with npm is non-deterministic, the package is not signed, and the only integrity check performed is a basic SHA1 hash, which is a security risk when installing system-wide apps.

For these reasons, it is highly recommended that you install Yarn through the installation method best suited to your operating system.

  • Running Yarn, which is a separate package manager utility, via npm can lead to edge-case issues (see issue 2072)
  • Installing via a system package manager decouples Yarn from npm, allowing you to run Yarn without npm
  • The system package manager typically runs regularly, keeping Yarn updated
  • Installing Yarn via npm is slow

Advantages to npm install -g yarn:

  • Quick and easy (npm install -g yarn)
  • Can be done in any npm environment (platform-agnostic)
  • Familiar paradigm and process for Node.js developers
  • Can be easily updated (npm update -g yarn)
    • A Yarn update command exists (yarn self-update) but it seems to be broken
  • No dependence on system package managers
  • Can use different versions of Yarn for different projects or different versions of Node.js via nvm

The system package manager arguments for the recommended installation tend to break down when referring to Windows, where there is no official package manager (unless you count Windows Update). Also, Windows package managers such as Chocolatey are often not configured for automatic updates.

I'm not sure that I fully agree with the Yarn team's decision on this, but they do make some fair points. The Yarn project is still young and if it is to become a replacement for npm then it wouldn't make sense to encourage npm as its primary installer.

Regardless, installations via npm seem to work just fine for now in most cases.


Sources:

I don't use npm to install yarn because: as of May 2022, installing on ubuntu according to the official documentation of nvm and Yarn via npm breaks capistrano scripts.

bash: yarn: command not found

Yarn works in the ssh terminal session.

Detailed Description "Why does something work in my SSH session, but not in Capistrano?" https://capistranorb.com/documentation/faq/why-does-something-work-in-my-ssh-session-but-not-in-capistrano/

So I removed the default install of nvm nodejs yarn,

$ npm uninstall -g yarn
$ nvm deactivate
$ nvm uninstall 16.15.0
$ nvm unload
$ rm -r ~/.nvm

and installed yarn like this:

$ curl -sL https://deb.nodesource.com/setup_16.x | sudo -E bash -
$ curl -sL https://dl.yarnpkg.com/debian/pubkey.gpg | gpg --dearmor | sudo tee /usr/share/keyrings/yarnkey.gpg >/dev/null
$ echo "deb [signed-by=/usr/share/keyrings/yarnkey.gpg] https://dl.yarnpkg.com/debian stable main" | sudo tee /etc/apt/sources.list.d/yarn.list
$ sudo apt-get update && sudo apt-get install yarn
$ node -v
v16.15.0
$ npm -v
8.5.5
$ yarn -v
1.22.19

Capistrano scripts are now working.