Hacker News new | ask | show | jobs
by crubier 2060 days ago
Yarn v2 PnP is simply a lifesaver if you have a medium+ sized monorepo.

We have a monorepo with 180 packages here. Without pnp, it takes 1h+ just to npm install any new third party package in any local package, it’s a joke. With pnp it takes 18s.

So yes, from my point of view NPM is completely inadequate for any serious JS codebase.
9 comments
lhorie 2060 days ago
We have a pretty large monorepo codebase (460 packages and counting) that we're migrating from yarn v1 to yarn v2. I'll say it's definitely not a plug-n-play migration (pardon the pun).

Some issues we ran into:

- it can be difficult to reason about the layout of peer dependencies. Often times libraries that rely on Symbols or referential equality break and you need to mess with packageExtensions or add resolutions or unplug. Debugging mostly consists of throwing stuff at a wall and see what sticks

- file watching at large enough projects breaks w/ file descriptor exhaustion errors, forcing you to find and unplug the offending libraries

- there's a number of known incompatible libraries (flow being one of the most prominent) and the core team approach to these at this point follows paretto (20% effort for 80% results, e.g. special casing for typescript), meaning I don't believe there will ever be a 100% compatibility milestone w/ the ecosystem

- it's much more black-boxy in terms of day-to-day debugging (e.g. it's much harder to manually edit files in node_modules to trace some root cause)

- we ran into inscrutable errors deep in packages that interface w/ C++ and basically were only able to fix by pinning to an earlier version of a library that did not depend on said package.

- migration cost is heavily proportional to codebase complexity. My understanding is that Facebook gave up on it completely for the foreseeable future and ours has similarly been a significant time investment (and we're not even targeting strict mode yet)

The pros:

- install times and project switching times are indeed fast, even in our codebase that contains multiple major versions of various packages

- yarn v2 has many interesting features, such as protocols (though it's debatable if you want to commit to lock-in to benefit from those)

link
arcatek 2060 days ago
Regarding TypeScript, I think it's important to point out that we have a working PR in the TypeScript repository that we've been maintaining for about a year now. It's not so much special casing as being ahead of trunk. I still hope the TypeScript team will show interest eventually and we'll be able to streamline the development.

[1] https://github.com/microsoft/TypeScript/pull/35206

link
lhorie 2060 days ago
I meant special casing in the sense that this a conscious effort specifically targeted at Typescript support, as opposed to some generic design that would cater to a large class of projects.

Mind you, I understand that there are legitimate reasons to approach it this way now (e.g. technical limitations, differences in opinion wrt project governance, cost/benefit on long tail, etc). I'm mostly cautioning the unaware that one shouldn't necessarily expect that every package will work under yarn v2 (though an overwhelmingly large majority does work just fine).

link
acemarke 2060 days ago
From what I've seen, the "unplug" command is supposed to allow you the ability to temporarily unzip a package so that you can do the traditional "hand-edit a file in a dependency" debugging approach.
link
lhorie 2060 days ago
Yes, but when you're dealing w/ transitive dependencies, often times you need to jump between many packages. And you then need to clean up after your debugging since you typically don't want to leave things unplugged if they don't need to be (as that affects performance).

I'm not saying it's impossible to debug, just that you end up having to jump through more hoops.

link
acemarke 2060 days ago
Well, you gotta clean up files you've hand-edited in `node_modules`, too, if you've been adding a bunch of `console.log` statements :)

at least this way it's just deleting the temp package folder or running whatever the "replug" command is, instead of having to go figure out all the files you were editing.

link
lhorie 2060 days ago
Eh, node_modules hacking is certainly not great by any stretch of the imagination, but once you work with it long enough, there's a bunch of stuff that you just get efficient at. Spamming undos in open files is fairly easy. If the editing ends up being a real fix, then you upstream it and install again. There's also considerations about jump-to-definition and similar tools, etc.

You can't accidentally commit your debugging (unplug edits package.json and there's no replug command) and you don't end up with 3 unplugged folders for the same package (that's a whole can of worms on its own). There's also some yarn 2 specific pitfalls regarding __dirname in local packages, symlinking semantics, etc.

Anyways, getting way too into the weeds here, I better stop now lol :)

link
eyelidlessness 2060 days ago
I tried yarn 2 on a greenfield project, but discovered:

- pnp is made possible in part by mysterious “patches” to certain dependencies that don’t work well with it. Mysterious as in they’re obfuscated, and there isn’t much detail besides commit history. This is blocking if you wanna try out, say, the TypeScript 4.1 beta and the patch isn’t ready yet. But more importantly um... I do not want my dependency manager mysteriously patching stuff with obfuscated code?????

- it applies these patches even if you disable pnp, so same objections to the entire yarn 2 approach (currently)

So I’m back on yarn 1 and apparently gonna need to look at npm 7 at this point.

link
eyelidlessness 2060 days ago
I wrote the above before caffeine really kicked in, so I neglected to add: pnp is itself achieved in part by obfuscating your entire dependency tree. That takes a loooot of trust, on a matter where trust has already exceedingly deteriorated. In hindsight, I regret even considering it.
link
acemarke 2060 days ago
Can you clarify what you mean by "obfuscating the dependency tree"?
link
desert_boi 2059 days ago
They probably mean the idea that once you're in PnP, you can "kind of, sort of" peer into zipfs deps, but not in the same way that was possible in bare node_modules.

That said, I think yarn 2's PnP + zero installs (https://yarnpkg.com/features/zero-installs) is lovely with CI. Instead of tacking 40+ seconds to resolve deps every build, vending deps with PnP on is much cheaper than the node_modules equivalent.

link
eyelidlessness 2059 days ago
A gigantic single file encoded version of `node_modules` is just modules I can’t go look in.
link
eyelidlessness 2059 days ago
(Not a real edit): my last gig was with a lot of well prepared juniors, but they lacked the confidence to go look inside dependencies to find out what was happening. I tried to encourage setting breakpoints or logging or whatever felt comfortable in required packages. It was hard.

Turning that into a blob is even more discouraging.

link
acemarke 2059 days ago
As I mentioned elsewhere in the thread, Yarn v2 does have an "unplug" command that will extract a given dep into a folder for the time being. Does help with that use case.
link
eyelidlessness 2059 days ago
And if you trust that they’re fundamentally the same thing, that’s a great escape hatch. I personally tried to use two new things together and discovered that one is transparent and one is opaque magic... and given the opportunity to do harm, I found the opacity of one alarming. I don’t trust yarn to manage dependencies in pnp, because what I saw in how they handled a special case was completely black box. Literally binary blob patches with no explanation of what it’s doing or why. Completely impossible to audit without reverse engineering or auditing the entire tool. Why would I trust “unplug” to do anything but misdirect?
link
chrisweekly 2060 days ago
Sorry if this makes it harder but I honestly recommend reading up on pnpm (https://pnpm.js.org/) before committing to npm7. Npm7 auto-installs peer dependencies(!) and pnpm has some remarkable advantages over npm or yarn.
link
crubier 2059 days ago
Pnpm is indeed better than npm but I found it’s symlinking approach less compatible than yarn v2, (nextJS for example didn’t support pnpm until very recently) while also having less deterministic module resolution, creating version compatibility problems that disappeared with yarn v2.
link
eyelidlessness 2059 days ago
I had already been meaning to look at it but had written it off because I wanted what yarn 2 was selling... but definitely gonna give it another look.
link
vosper 2060 days ago
Did you try out pnpm, by chance? I’ve read a few good things, but it doesn’t seem to get mentioned all that often. So I’m curious what people with larger projects think about it.

https://pnpm.js.org/

link
andrew_ 2060 days ago
I use it in some rather large repos and am a very big fan. It's simply fantastic for every type of repo and project I've thrown it into.
link
crubier 2059 days ago
I did try it but it caused two problems as compared to yarn v2: the dependency resolution algorithm seems less deterministic or strict, causing version incompatibilities that yarn v2 did solve, and also the symlinks are poorly supported by many tools (nextJS until very recently, react native etc...). Also the install is longer with pnpm. However it has less runtime performance impact.
link
georgyo 2060 days ago
Cannot figure out why you are being down voted. YarnV1 and NPM are horrible if you have a large dependency tree. YarnV2 was the first time I enjoyed the package manager.
link
411111111111111 2060 days ago
Likely because he indirectly said that projects using less then 180 dependencies aren't serious.
link
romanoderoma 2060 days ago
could it be that in some languages (like my language for example) serious is kinda of a synonym for large?

I've been downvoted at times for using it to mean exactly that, but I can't help it after more than 40 years of thinking in a language different from English.

link
crubier 2059 days ago
By serious I meant large indeed, I’m not a native speaker. I have some serious projects that have less than 180 packages too aha.

But if you start an ambitious company with a JS codebase today, start with yarn v2, you’ll save yourself some pain in the future.

link
untog 2060 days ago
I'd push back against "serious JS codebase", there.

Maybe it's just me but a monorepo with 180 packages sounds like a hole you've dug yourself into and you're propping yourself up with yarn.

I certainly don't think that anyone who keeps their packages separate (you could do that even within a monorepo, surely) has a "non-serious" codebase.

link
crubier 2059 days ago
Well yarn exists for this purpose so I guess I’m not the only one doing this. And if the alternative involves having to manage independent versioning of 180 packages and their inter-dependencies then no thanks.

I’m not saying the situation is completely perfect (yarn v2 had its rough edges in the beginning for example), but it’s not too bad either. This monorepo is the best organized codebase of this size and diversity I’ve ever seen.

Feel free to explain alternative methods to manage 180 packages with 7 developers while sleeping at night.

link
cute_boi 2060 days ago
I don't know why you are down voted but I agree here. PNP is so good it takes less time less storage. Yarn v2 is very superior than yarn v1/npm
link
madjam002 2060 days ago
Yarn 2 is very nice. The portal: protocol is great and it works well with Nix package manager.
link
croes 2060 days ago
Some would say the same about NodeJS especially since Deno exists.
link
benologist 2060 days ago
This NPM cache been a huge time-saver for me, you can run it locally or across your whole network for a shared cache -

https://guides.sonatype.com/repo3/quick-start-guides/proxyin...

https://hub.docker.com/r/sonatype/nexus/

link