NPM not tied in knots over Yarn rival project

Parallel projects just happen when the future is obvious

By Thomas Claburn in San Francisco


NPM, keeper of the npm Registry and the software package management tool called npm that pulls JavaScript packages from said registry, is testing another sort of package manager called tink.

Previously referred to as frog and then crux, until someone discovered there was an npm package called crux, tink represents an attempt to make the process of installing npm packages a bit less onerous by allowing dependencies to be installed on the fly. The naming problem may not be resolved since there's also another npm module named tink.

When developers create Node.js applications – Node.js being a runtime for executing JavaScript code outside the browser – various code libraries are often required. Declared in the package.json file at the base directory of Node apps, these modules get installed with the appropriate command to a package manager like npm or Yarn (a rival spun out of Facebook) and then get fetched from the npm Registry.

This is can take time, particularly if a lot of files have to be copied to the node_modules folder, and may create a computing resource bottleneck.

With tink, the hope is that the process can become a bit less involved by removing the need for package installation via the npm install command.

Where a traditional Node app would throw an error if a require statement referenced an uninstalled module, tink creates a .package-map.json file that contains the hashes of every file in every installed package. Thereafter, running the app without the modules downloads them from the npm Registry and extracts the package tarballs. Tink hands the app bootstrapping and dependency fetching off to the Node process.

In an email to The Register, Rebecca Turner, product manager of open source software at NPM, said tink's goal is to make module installation not just transparent and faster but also invisible. The software represents an attempt to rethink how people interact with Node and the npm ecosystem, she said.

"npm currently provides the strongest reproducibility guarantees available by installing directly from archives that are verified to match the cryptographic checksums in our lock files on every install," she said. "With tink, we're storing these per file in the distribution, which will in the long term open up the possibility of smaller and faster downloads from npm."

Unraveling Yarn

As it happens, Yarn, an alternative package manager, just proposed a similar effort called Plug'n'Play, which is described in more detail in an explanatory paper.

Turner says it's just a coincidence. "They were developed concurrently, without knowledge from either team that the other was working on something similar," she said. "It is often the case that expert practitioners see the same next steps as obvious and this is a case of that."

Tink and Plug'n'Play have technical differences, said Turner, and there's no telling how they'll compare in terms of user experience as they evolve.

"At the moment, they differ in that Yarn Plug'n'Play doesn't change your workflow – you still have to run yarn to get a copy of your modules," she said. "By contrast, tink is drop-in-replacement for Node itself, so you just run your program with it and it will install the modules you need if they aren't yet on your system."

What may not to be a coincidence is the timing of npm's announcement, which came on Wednesday evening, Pacific Time, a day before Maël Nison, the Facebook software engineer who maintains Yarn, announced Plug'n'Play.

Via Twitter, Nilson chided NPM folk by charging that NPM betrayed his confidence with the timing of its announcement.

Nonetheless, according to Turner, Nison plans to convene a meeting of authors of Node package managers to share thoughts on the road ahead. ®

Sign up to our NewsletterGet IT in your inbox daily


More from The Register

Facebook's new always-listening home appliance kit Portal doesn't do Facebook

Trust us, pleads the Zuck

Wednesday: Facebook sparks another privacy brouhaha. Thursday: Facebook axes Iranian disinfo bods. Fancy that!

Analysis Never mind these scandals, says social media giant. We're the good guys!

Max Schrems schreds another 'blockade' to challenging Facebook data transfers in Austria

Antisocial network: They gotta go to a DPA, man. Normal ppl can't sue us! Vienna court: I think you'll find...

Facebook: Yeah, we hoovered up 1.5 million email address books without permission. But it was an accident!

So that's all OK then

Zuck it up: Facebook hit with triple whammy of legal probes, action in Canada, US, Ireland

Ignoring privacy laws, storing plain text passwords, slurping millions of contact details come back to bite web giant

Facebook sued for exposing content moderators to Facebook

Updated Endless series of beheadings and horrible images take mental toll, US lawsuit claims

It's time to reset the 'Days without a Facebook data loss' sign after 500 million records left exposed on AWS

App devs fail to lock down their databases, yet again

Who's using Mueller Report Day to bury bad news? If you guessed Facebook, you're right: Millions more passwords stored in plaintext

Wham, bam, gee thanks, Instagram

German competition watchdog toys with ban on some Facebook data-slurps

Final decision expected in long-running antitrust case within weeks – reports

FTC gets back to work: Now, where were we? Break up Facebook and fine it $2bn, you say?

Advocacy groups: Force 'em to 'disgorge' data slurped up from Instagram, WhatsApp