NPM not tied in knots over Yarn rival project

Parallel projects just happen when the future is obvious

By Thomas Claburn in San Francisco


NPM, keeper of the npm Registry and the software package management tool called npm that pulls JavaScript packages from said registry, is testing another sort of package manager called tink.

Previously referred to as frog and then crux, until someone discovered there was an npm package called crux, tink represents an attempt to make the process of installing npm packages a bit less onerous by allowing dependencies to be installed on the fly. The naming problem may not be resolved since there's also another npm module named tink.

When developers create Node.js applications – Node.js being a runtime for executing JavaScript code outside the browser – various code libraries are often required. Declared in the package.json file at the base directory of Node apps, these modules get installed with the appropriate command to a package manager like npm or Yarn (a rival spun out of Facebook) and then get fetched from the npm Registry.

This is can take time, particularly if a lot of files have to be copied to the node_modules folder, and may create a computing resource bottleneck.

With tink, the hope is that the process can become a bit less involved by removing the need for package installation via the npm install command.

Where a traditional Node app would throw an error if a require statement referenced an uninstalled module, tink creates a .package-map.json file that contains the hashes of every file in every installed package. Thereafter, running the app without the modules downloads them from the npm Registry and extracts the package tarballs. Tink hands the app bootstrapping and dependency fetching off to the Node process.

In an email to The Register, Rebecca Turner, product manager of open source software at NPM, said tink's goal is to make module installation not just transparent and faster but also invisible. The software represents an attempt to rethink how people interact with Node and the npm ecosystem, she said.

"npm currently provides the strongest reproducibility guarantees available by installing directly from archives that are verified to match the cryptographic checksums in our lock files on every install," she said. "With tink, we're storing these per file in the distribution, which will in the long term open up the possibility of smaller and faster downloads from npm."

Unraveling Yarn

As it happens, Yarn, an alternative package manager, just proposed a similar effort called Plug'n'Play, which is described in more detail in an explanatory paper.

Turner says it's just a coincidence. "They were developed concurrently, without knowledge from either team that the other was working on something similar," she said. "It is often the case that expert practitioners see the same next steps as obvious and this is a case of that."

Tink and Plug'n'Play have technical differences, said Turner, and there's no telling how they'll compare in terms of user experience as they evolve.

"At the moment, they differ in that Yarn Plug'n'Play doesn't change your workflow – you still have to run yarn to get a copy of your modules," she said. "By contrast, tink is drop-in-replacement for Node itself, so you just run your program with it and it will install the modules you need if they aren't yet on your system."

What may not to be a coincidence is the timing of npm's announcement, which came on Wednesday evening, Pacific Time, a day before Maël Nison, the Facebook software engineer who maintains Yarn, announced Plug'n'Play.

Via Twitter, Nilson chided NPM folk by charging that NPM betrayed his confidence with the timing of its announcement.

Nonetheless, according to Turner, Nison plans to convene a meeting of authors of Node package managers to share thoughts on the road ahead. ®

Sign up to our NewsletterGet IT in your inbox daily


More from The Register

Facebook celebrates Independence Day by lighting up American outage maps

Like your cousin at the end of the BBQ, social network has pretty much blacked out

Facebook's new always-listening home appliance kit Portal doesn't do Facebook

Trust us, pleads the Zuck

Facebook ordered to open internal docs for investors livid about losing cash following data slurp scandal

Show us what you knew and when, shareholders demand

Facebook staff sarin for a bad day: Suspected chemical weapon parcel sent to Silicon Valley HQ

Updated Package triggered test equipment, buildings evacuated, no one exposed

Facebook: The future is private! So private, we designed some handy new fingercams for y'all!

Updated Just when you thought things couldn't get more intrusive

Italian data protector makes Facebook an offer it might want to refuse: A €1m fine for Cambridge Analytica data leak

Claims more than 200k Italians had data harvested after just 57 downloaded app

Wednesday: Facebook sparks another privacy brouhaha. Thursday: Facebook axes Iranian disinfo bods. Fancy that!

Analysis Never mind these scandals, says social media giant. We're the good guys!

Facebook's Libra is a terrorist's best friend, thunders US Treasury: Crypto-coins dubbed 'national security risk'

But Zuck Inc got in first and announced it was delaying its unwelcome electronic currency

Shameless Facebook treats its poor human moderators like absolute dirt. But y'know what it does treat right? Robots

If you've dreamed of advancing human obsolescence, your time is at hand

Max Schrems schreds another 'blockade' to challenging Facebook data transfers in Austria

Antisocial network: They gotta go to a DPA, man. Normal ppl can't sue us! Vienna court: I think you'll find...