NPM not tied in knots over Yarn rival project

NPM, keeper of the npm Registry and the software package management tool called npm that pulls JavaScript packages from said registry, is testing another sort of package manager called tink.

Previously referred to as frog and then crux, until someone discovered there was an npm package called crux, tink represents an attempt to make the process of installing npm packages a bit less onerous by allowing dependencies to be installed on the fly. The naming problem may not be resolved since there's also another npm module named tink.

When developers create Node.js applications – Node.js being a runtime for executing JavaScript code outside the browser – various code libraries are often required. Declared in the package.json file at the base directory of Node apps, these modules get installed with the appropriate command to a package manager like npm or Yarn (a rival spun out of Facebook) and then get fetched from the npm Registry.

This is can take time, particularly if a lot of files have to be copied to the node_modules folder, and may create a computing resource bottleneck.

With tink, the hope is that the process can become a bit less involved by removing the need for package installation via the npm install command.

Where a traditional Node app would throw an error if a require statement referenced an uninstalled module, tink creates a .package-map.json file that contains the hashes of every file in every installed package. Thereafter, running the app without the modules downloads them from the npm Registry and extracts the package tarballs. Tink hands the app bootstrapping and dependency fetching off to the Node process.

In an email to The Register, Rebecca Turner, product manager of open source software at NPM, said tink's goal is to make module installation not just transparent and faster but also invisible. The software represents an attempt to rethink how people interact with Node and the npm ecosystem, she said.

"npm currently provides the strongest reproducibility guarantees available by installing directly from archives that are verified to match the cryptographic checksums in our lock files on every install," she said. "With tink, we're storing these per file in the distribution, which will in the long term open up the possibility of smaller and faster downloads from npm."

Unraveling Yarn

As it happens, Yarn, an alternative package manager, just proposed a similar effort called Plug'n'Play, which is described in more detail in an explanatory paper.

Turner says it's just a coincidence. "They were developed concurrently, without knowledge from either team that the other was working on something similar," she said. "It is often the case that expert practitioners see the same next steps as obvious and this is a case of that."

Tink and Plug'n'Play have technical differences, said Turner, and there's no telling how they'll compare in terms of user experience as they evolve.

"At the moment, they differ in that Yarn Plug'n'Play doesn't change your workflow – you still have to run yarn to get a copy of your modules," she said. "By contrast, tink is drop-in-replacement for Node itself, so you just run your program with it and it will install the modules you need if they aren't yet on your system."

What may not to be a coincidence is the timing of npm's announcement, which came on Wednesday evening, Pacific Time, a day before Maël Nison, the Facebook software engineer who maintains Yarn, announced Plug'n'Play.

Via Twitter, Nilson chided NPM folk by charging that NPM betrayed his confidence with the timing of its announcement.

It's nice you've worked on the same ideas. It's not so nice that you've used the knowledge I willingly shared with you last Tuesday (including the release date) to make an announcement before we did, with a project still clearly in its infancy 🤷‍♀️

— Maël (@arcanis) September 14, 2018

Nonetheless, according to Turner, Nison plans to convene a meeting of authors of Node package managers to share thoughts on the road ahead. ®