“npm is more secure than yarn”

[19h]

Hello,

I'm aware this shouldn't be here (because it's not exactly product related), but I couldn't help but raise this here.

I just came across a presentation [1] by Laurie Voss (“Co-founder / COO of @npmjs” as per Twitter bio) discussing several metrics related to npm (Inc.) and the whole Javascript ecosystem.

One of the slides implies it's faster than yarn [2] and one of the slides goes as far as saying “Use npm because npm is safer than Yarn” [3].

I'd really love anyone from the Yarn project to debunk this for the most part seemingly unfounded (and frankly a bit arrogant) presentation.

Thanks!

[1] https://slides.com/seldo/npm-future-of-javascript
[2] https://slides.com/seldo/npm-future-of-javascript#/12
[3] https://slides.com/seldo/npm-future-of-javascript#/21

[arcanis]

Disclaimer: I'm not fond of these kind of comparison, tbh. I feel like we should all do our best and let the users see by themselves what their preferences are. Yarn was initially created because npm wasn't satisfying our needs at the time so it made sense to compare them a bit back then, but now we do our best to highlight our value regardless of what our "competitor" says or does.

I'm not sure what Laurie's referencing regarding the "safer than", so it'll be hard to "debunk". Some point that I can mention (keep in mind that this is based on my personal opinion; grain of salt yada yada):

• Yarn doesn't support 2FA when publishing on the npm registry at the moment (Can't publish package with NPM account that has enabled 2FA #4904). It would be nice to have that, though. If a contributor wants to implement this I would happily review and merge it! 🙂 (edit: we now have it as of the 1.12. Community ftw!)

• We check the integrity from everything we download against what's inside the lockfile. Maybe he meant that we don't support SHA256, but that's not true since the 1.10.

• We've recently implemented the audit feature. So if what he meant by that was that Yarn didn't implement it, it's no longer true since the 1.12.

• Overall I wouldn't say the audit feature is actually a security feature. If you're in a case where it matters, it generally means that your project might already have been compromised. A passing audit doesn't mean your project is safe, just that noone audited (or found the vulnerabilities in) your packages. Is it a project management feature? Sure. A security feature? Not really.

• I know that npm is quite proud of their corruption-resilient cache. From my practical experience cache corruptions never happen under sane environments (I don't remember seeing a single issue regarding this), so while we do trust our cache to be correct it's because it usually is.

Overall Yarn is a good tool, npm is a good tool, pnpm is a good tool (we don't talk enough about pnpm). Using any of them is a good choice, whether it's on security or on speed. And while I have no idea what's on npm roadmap, I'm confident that Yarn can and will become an even better tool during the next years (as evidenced by the work we've recently released on Plug'n'Play, but also other ambitious works in progress).