NPM not tied in knots over Yarn rival project

Parallel projects just happen when the future is obvious

By Thomas Claburn in San Francisco


NPM, keeper of the npm Registry and the software package management tool called npm that pulls JavaScript packages from said registry, is testing another sort of package manager called tink.

Previously referred to as frog and then crux, until someone discovered there was an npm package called crux, tink represents an attempt to make the process of installing npm packages a bit less onerous by allowing dependencies to be installed on the fly. The naming problem may not be resolved since there's also another npm module named tink.

When developers create Node.js applications – Node.js being a runtime for executing JavaScript code outside the browser – various code libraries are often required. Declared in the package.json file at the base directory of Node apps, these modules get installed with the appropriate command to a package manager like npm or Yarn (a rival spun out of Facebook) and then get fetched from the npm Registry.

This is can take time, particularly if a lot of files have to be copied to the node_modules folder, and may create a computing resource bottleneck.

With tink, the hope is that the process can become a bit less involved by removing the need for package installation via the npm install command.

Where a traditional Node app would throw an error if a require statement referenced an uninstalled module, tink creates a .package-map.json file that contains the hashes of every file in every installed package. Thereafter, running the app without the modules downloads them from the npm Registry and extracts the package tarballs. Tink hands the app bootstrapping and dependency fetching off to the Node process.

In an email to The Register, Rebecca Turner, product manager of open source software at NPM, said tink's goal is to make module installation not just transparent and faster but also invisible. The software represents an attempt to rethink how people interact with Node and the npm ecosystem, she said.

"npm currently provides the strongest reproducibility guarantees available by installing directly from archives that are verified to match the cryptographic checksums in our lock files on every install," she said. "With tink, we're storing these per file in the distribution, which will in the long term open up the possibility of smaller and faster downloads from npm."

Unraveling Yarn

As it happens, Yarn, an alternative package manager, just proposed a similar effort called Plug'n'Play, which is described in more detail in an explanatory paper.

Turner says it's just a coincidence. "They were developed concurrently, without knowledge from either team that the other was working on something similar," she said. "It is often the case that expert practitioners see the same next steps as obvious and this is a case of that."

Tink and Plug'n'Play have technical differences, said Turner, and there's no telling how they'll compare in terms of user experience as they evolve.

"At the moment, they differ in that Yarn Plug'n'Play doesn't change your workflow – you still have to run yarn to get a copy of your modules," she said. "By contrast, tink is drop-in-replacement for Node itself, so you just run your program with it and it will install the modules you need if they aren't yet on your system."

What may not to be a coincidence is the timing of npm's announcement, which came on Wednesday evening, Pacific Time, a day before Maël Nison, the Facebook software engineer who maintains Yarn, announced Plug'n'Play.

Via Twitter, Nilson chided NPM folk by charging that NPM betrayed his confidence with the timing of its announcement.

Nonetheless, according to Turner, Nison plans to convene a meeting of authors of Node package managers to share thoughts on the road ahead. ®

Sign up to our NewsletterGet IT in your inbox daily


More from The Register

Facebook campus death plunge: Cops say man jumped from 4th floor in apparent suicide

Foul play ruled out at Menlo Park headquarters

Facebook celebrates Independence Day by lighting up American outage maps

Like your cousin at the end of the BBQ, social network has pretty much blacked out

Oh there it is, Facebook shrugs as Free Basics private key found to be signing unrelated apps

Walled-garden Android platform security easily copied

Researchers studying Facebook's impact on democracy decry lack of data access, warn: We'll walk...

Programme to shine a light on elections lacks transparency

Facebook chucks 1.5 hours' profit at Citizens Advice anti-scam charity to defuse consumer champ's defamation suit

Meanwhile, UK users still first line of defence against fake ads

Come on, hackers, do your worst ‒ Facebook opens Portal gizmo to Pwn2Own exploit fest

Thousands of dollars and new kit up for grabs if you can blow a hole in Zuck's video-conf gear

Facebook's new always-listening home appliance kit Portal doesn't do Facebook

Trust us, pleads the Zuck

France says 'non merci' to Facebook-backed Libra cryptocurrency

Digital dosh scorned as a threat to national sovereignty

Facebook ordered to open internal docs for investors livid about losing cash following data slurp scandal

Show us what you knew and when, shareholders demand

FTC fines Facebook $5bn for making users believe they actually had control over their data

Privacy Board to keep tabs on potential naughtiness at the antisocial network