Yarn 1.0 simplifies JavaScript dependency management

Facebook’s Yarn, an alternative JavaScript package manager to NPM, has reached a 1.0 release, which features a workspaces capability to ensure the latest code is being used on engineering projects.

With workspaces, users transition their code base into a “mono-repository” to ensure that the most recent code gets used. Workspaces aggregate dependencies from package.json files and install them all at once. Also featured in Yarn 1.0 is auto-merging of lock files, whereby Yarn automatically resolves merge conflicts in lock files when working with multiple contributors pulling the same code.

A selective version resolutions capability streamlines the version control process to make sure code has the latest security updates and bug fixes. The aim is to address problems in which packages may receive important fixes or security updates but a project may not be a direct consumer of those dependencies. Other highlights in Yarn 1.0 include an improved upgrade experience, a quicker file integrity check, and a separate lock file parser module. Users also can defer to another Yarn binary for consistency.

Future plans for open source Yarn include working with NPM to provide two-factor authentication, to increase the confidence in packages being installed. Also eyed is a streamlined release process and tooling to ensure that no breaking changes are made in minor or patch releases.

Initially released 11 months ago, Yarn now boasts more than 175,000 projects with a yarn.lock file, which assists with dependency management, in their root directory on GitHub, Facebook said. With Yarn, engineers can access the NPM registry while installing packages more quickly and managing dependencies consistently across machines or in secure offline environments, Facebook said. Yarn was based on a collaboration with Google, Exponent, and Tilde.