Computer scienceBackendNode.jsModules and DependenciesPackage managers

Advanced Yarn

Provided by: JetBrains Academy
2 minutes read

Yarn, a package manager for JavaScript, offers a range of advanced features that can significantly enhance your development workflow and project management. These features include Yarn Workspaces for monorepo projects, Plug'n'Play for streamlined dependency management, and Yarn Audit for identifying and fixing vulnerabilities.

In this topic, you'll learn how to leverage these advanced Yarn features to optimize your JavaScript projects. You'll explore techniques for managing monorepos with Yarn Workspaces, setting up Plug'n'Play for faster development, resolving dependency conflicts using selective resolutions and aliasing, and ensuring project security with Yarn Audit.

Yarn Workspaces and Monorepos

Yarn Workspaces is a feature that enables you to manage multiple projects within a single repository, commonly known as a monorepo. A monorepo is a version-controlled code repository that holds multiple projects, which are usually related or share common code. A good example would be a library that depended on other small "micro" libraries, the best way to ship it is to have them all in the same place and execute them at the same time. Monorepos offer benefits such as simplified code sharing, streamlined dependency management, and easier refactoring across projects.

With Yarn Workspaces, you can efficiently manage monorepos by defining the workspaces property in the root package.json file with an array of package directories. For example:

{
    "private": true,
    "workspaces": [
        "packages/*"
    ]
}

This configuration tells Yarn to treat each directory inside the packages folder as a separate package. You can then run Yarn commands from the root directory, and Yarn will execute them across all the packages in the workspace.

Yarn Workspaces also optimizes dependency management by hoisting common dependencies to the root level. If multiple packages share the same dependency, Yarn will install it once at the root level, reducing redundancy and saving disk space.

Plug'n'Play (PnP)

Yarn's Plug'n'Play (PnP) feature transforms how dependencies are managed in JavaScript projects. PnP eliminates the need for a node_modules folder by using a single loader file, .pnp.cjs file to resolve dependencies directly. This file contains all the information about your project's dependencies, informs your tools about the location of the dependencies on your disk, and lets them know how to resolve imports.

To enable PnP in your project, run the following command:

yarn set version berry

This command sets your project to use the latest version of Yarn (currently called "berry") and enables PnP. Yarn generates a .pnp.cjs file containing all the necessary information to resolve dependencies.

All the packages are stored in one folder on your machine instead of having a node_modules folder per project. I'm sure you can already imagine what advantages this has. They are stored in a hidden folder ~/.cache/yarn.

With PnP, you'll benefit from faster installation times since Yarn skips creating a node_modules folder for every project. This is good since all it needs to do is generate a loader file instead of copying files and folders from one place to another. PnP also guarantees deterministic builds by locking the exact dependency versions used in your project. It generates a yarn.lock file that keeps track of the exact versions of all dependencies and their transitive dependencies, ensuring consistent and reproducible installations across different environments.

PnP also allows the reuse of the same packages across all the projects that use them. Once packages are installed, all projects on your disk can access them. PnP also has semantic erroring, meaning that error messages are more detailed. This can be really helpful when trying to address errors caused by imports.

Another huge advantage of PnP is ghost dependency protection. Ghost dependencies are dependencies that might still be in your node modules folder but are not required by the project, or the code that used them is no longer part of your code base. Yarn keeps a list of all packages and their dependencies, allowing it to prevent access to dependencies unaccounted for during resolution.

Keep in mind that some tools or libraries might not be fully compatible with PnP out of the box. In such cases, you may need to use additional tools like @yarnpkg/sdks to ensure compatibility.

Selective Resolutions, Aliasing, and Dependency Types

Yarn provides powerful features for resolving dependency conflicts and managing different types of dependencies.

Selective resolutions allow you to specify a particular version of a package to be used across your project, overriding the versions specified in individual package dependencies. Here's an example of setting a selective resolution:

{
    "resolutions": {
        "lodash": "4.17.21"
    }
}

This ensures that version 4.17.21 of the lodash package is used consistently throughout your project. This can also be helpful if a package depends on another that just got a major update. It prevents the version from changing, preventing your app from breaking.

Aliasing allows you to specify alternative package names or paths for dependencies, which is handy when using forked packages or referencing local packages. Say you wanted to store bcrypt, a package commonly used for hashing passwords, under the alias passwordSecretHash, here is how you would do it.

yard add passwordSecretHash@npm:bcrypt

Now, everytime you wanted to import it, you could do so using the alias as demonstrated below.

const passwordSecretHash = require('passwordSecretHash')

Another thing is that Yarn supports different types of dependencies:

  • dependencies: Regular dependencies required for production.

  • devDependencies: Dependencies needed only for development and testing.

  • peerDependencies: Dependencies that are not directly required by the package but expected to be provided by the consumer.

{
  "dependencies": {
    "react": "1.8.0"
  },
  "devDependencies": {
    "eslint": "2.3.9"
  },
  "peerDependencies": {
    "lodash": "2.3.4"
  }
}

Declare your dependencies accurately in the package.json file to ensure proper dependency management.

Yarn Audit

Security is paramount in JavaScript projects, and Yarn offers a built-in auditing tool called Yarn Audit to identify and fix vulnerabilities in your project's dependencies.

To run an audit, use the following command:

yarn audit

Yarn analyzes your project's dependencies and generates a report highlighting any discovered vulnerabilities, including their severity and recommended fixes.

To automatically fix vulnerabilities, run:

yarn audit fix

Yarn attempts to update the affected dependencies to versions that address the identified vulnerabilities.

Regularly running Yarn Audit and keeping your dependencies up to date is crucial for maintaining the security of your project. Yarn Audit helps you stay informed about potential risks and provides a straightforward way to mitigate them.

Conclusion

In this topic, we explored several advanced Yarn features that can greatly improve your JavaScript development workflow:

  • Yarn Workspaces for managing monorepo projects

  • Plug'n'Play (PnP) for streamlined dependency management

  • Selective resolutions and aliasing for resolving dependency conflicts

  • Managing different types of dependencies effectively

  • Using Yarn Audit to identify and fix vulnerabilities

By using these advanced Yarn features, you can simplify your development process, ensure project security, and build more maintainable and efficient JavaScript projects.

Now it's your turn to apply this knowledge to your own projects and see how these Yarn features can make your development experience better. Happy coding!ti

How did you like the theory?
Report a typo