Yarn 4.0 ups security, ease of use and performance – but is it enough to win back users?

Yarn 4.0 ups security, ease of use and performance – but is it enough to win back users?

The Yarn team is releasing version 4.0, the first major one since July 2021. New features include a Hardened Mode with extra security, tidier installation via the Corepack feature of Node.js, and the inclusion of all first-party plugins by default.

Yarn was introduced by Meta (then Facebook) in 2016, in collaboration with others including Google, as an alternative client for the npm registry. Yarn addressed issues of scaling, security and consistency which the Facebook team were experiencing with the npm client.

New in version 4.0 is Hardened Mode, a protection against an attack called lockfile poisoining, where the lockfile used by yarn or npm is tampered with to inject malicious packages. Hardened Mode adds two additional checks, --refresh-lockfile which refreshes package metadata and --check-resolutions which validates the coherence of package resolutions. The main threat is when yarn is used in a pull request from a public GitHub repository, and Hardened Mode is enabled by default for this. Otherwise it is not automatically enabled because it slows performance.

The recommended way to install Yarn is now via a tool built into Node.js, Corepack. Yarn is not intended to be installed globally or from npm. Corepack, which is still officially experimental, uses a packageManager field in the package.json file  that defines the modules used by the application. The packageManager defines both the client and the version. Corepack was first shipped in Node.js 16. Yarn 4.0 requires Node.js 18 or higher.

This update may be significant. If Yarn is installed via npm, which may seem intuitive, the version installed is 1.x, leading to some developers stating that “you always get v1 when you install (which I never understood).” Another said that they “had no idea Yarn was past 1.x.” In these circumstances it is not surprising that some have preferred pnpm, another npm replacement. That said, another common complaint is that Yarn 2, which was the first to introduce Yarn Plug’n’Play (pnp) in place of the traditional node_modules directory, was too different from Yarn 1, causing some to prefer the old version, or return to npm. Yarn now works smoothly whether or not the pnp option is used, and also supports the pnpm approach using a flat folder structure in node_modules. These options are set using the NodeLinker setting.

JavaScript Constraints, rules that specify particular workspace dependencies or package.json fields, now support TypeScript types, thanks to a new constraint engine based on JavaScript rather than Prolog. “Unfortunately, Prolog proved very complex to use,” said lead Yarn maintainer Maël Nison describing the new release.

Yarn supports plugins and previous versions used these for optional features. “The few KiBs we gained by not shipping all the features weren’t worth the confusion and friction they caused,” said Nison, explaining why all features and now included, though third-party plugins are still supported.

There are also performance improvements in this version, amounting to around a 25 percent improvement in an example quoted by Nison, who also notes competition with pnpm in this respect. He does not claim that Yarn is faster than pnpm, only that it should be “as fast in most scenarios.”

How is Yarn doing? Improvements in npm, competition from pnpm, and usage of Node.js alternatives Deno and new arrival Bun, have added up to declining usage according to the StackOverflow developer survey, which placed Yarn as used by 27.64 percent of developers in 2022 but only 21.86 percent in 2023. Yarn 4 brings sensible improvements as well as some unique features such as JavaScript Constraints and should please existing users and perhaps tempt a few back.