stumptown-content icon indicating copy to clipboard operation
stumptown-content copied to clipboard
verified publisher icon mdn

Switch to yarn

Open peterbe opened this issue 6 years ago • 12 comments

yarn is still much better than npm. It's faster, has support for "resolutions", easier to upgrade packages, ability to check that packages weren't manually added (without using the cli), etc. And from experience feels a lot more predictable and solid than npm.

Just today, I checked out master and ran npm install and it caused this massive change to package-lock.json

peterbe avatar May 08 '19 19:05 peterbe 

▶ npm --version
6.9.0

by the way.

I have no idea why we have npm as a dependency which seems just a strange chicken-and-egg thing.

peterbe avatar May 08 '19 19:05 peterbe

Not sure if this matters:

▶ node --version
v11.12.0

peterbe avatar May 08 '19 19:05 peterbe

I don't feel qualified to have an opinion on this.

But also: is this a thing we should try to make consistent across our projects? I mean if yarn is better, is it also better for kumascript and browser-compat-data and interactive-examples? This feels to me like a thing we should get consensus across the team and apply consistently.

wbamberg avatar May 30 '19 21:05 wbamberg

I'm wondering if this will introduce some unneeded contributor friction. When I install Node on my machine, I get npm too. But yarn is an additional tool I have to install before I can start contributing.

ddbeck avatar May 31 '19 12:05 ddbeck

[should we] try to make consistent across our projects?

Yeah. Maybe. But not right now. It's more complicated there because of the breadth and legacy. mdn2 is all yarn because it's a fresh new project so no excuse using aging/inferior tools when it's easy to make the upgrade now.

peterbe avatar May 31 '19 15:05 peterbe

But yarn is an additional tool I have to install before I can start contributing.

yarn is rapidly becoming more and more adopted. Most Node docker images on Dockerhub come with yarn pre-installed.

Senior JS developers who have experienced both usually prefer yarn. Me included. Oftentimes, the only proponents for npm is those who haven't tried yarn yet. Reminds me about how the only people who prefer MySQL (over Postgres) are those who've never had a chance to try Postgres properly.

When I worked in Product Delivery (last team before MDN) all JS projects used yarn and we were very happy with that.

peterbe avatar May 31 '19 15:05 peterbe

By the way, to me, a killer feature that we'd get right now is that with our current package-lock.json, every time I do cd stumptown-experiment && npm install it generates a different package-lock.json even though I didn't touch anything. So I have to then type git checkout package-lock.json to unstage that.

peterbe avatar May 31 '19 15:05 peterbe

Also,

[should we] try to make consistent across our projects?

I'm more than happy to take stabs at projects like browser-compat-data later. But I'd also like not to let this rot before we reach consensus. If it turns out that all everyone hates yarn in the stumptown eco system, at least we'll have experienced and learned a new tech that doesn't seem to be going away.

peterbe avatar May 31 '19 15:05 peterbe

Another reason why I prefer yarn is that you can poke at sub-dependencies without necessarily installing them. For example, one of your dependencies depends on (or depends on something that depends on etc) fstream. Then, you find out that that version of fstream is insecure and must be upgraded.

First of all, with yarn you can run:

yarn why fstream

and it lists all "parents" of that package.

Second, you can then indicate that no sub-dependency uses a version older than 1.0.12 So you add, to your package.json:

"resolutions": {
    "fstream": ">=1.0.12"
}

and run yarn again.

With npm you have to add "fstream": ">=1.0.12" to your dependencies (or devDependencies if you know where it comes from). But since you can't write comments in package.json the future you won't understand why it's there. "Apparently this project, top-level, depends on fstream but it's strange that I don't see it any of the ./src/**/*.js code!"

peterbe avatar Jun 03 '19 15:06 peterbe

I believe I've listed enough reasons why yarn is better than npm.

I'm totally happy to believe that yarn is better, but the point stands: I'd like us to have a considered and consistent policy for this across the MDN team. Adding more reasons yarn is better doesn't change that.

As a minimum, I'd like to bring this topic up in a whole-team setting and either:

  • have consensus to standardise on one or other package manager, with some level of commitment from maintainers of affected projects to move over to the winner

  • have consensus that it does not in fact matter to standardise a particular package manager, and different projects can choose package managers effectively at random (or at least, that the cost to established projects of switching is not worth the value of consistency).

wbamberg avatar Jun 04 '19 23:06 wbamberg

I can draft a draft ADR to be discussed in Whistler.

peterbe avatar Jun 05 '19 00:06 peterbe

Thank you! (I don't think it needs to be in Whistler, FWIW, email is fine. But Whistler is probably a good chance to pin people down.)

wbamberg avatar Jun 05 '19 00:06 wbamberg