Is there any harm in using NPM and Yarn in the same project?

yarnpkg

Although a few commenters here say its ok to mix both yarn and npm on the same project, after using yarn and npm and then yarn again, this is what yarn has to say about it:

warning package-lock.json found. Your project contains lock files generated by tools
other than Yarn. It is advised not to mix package managers in order to avoid resolution 
inconsistencies caused by unsynchronized lock files. To clear this warning, remove
package-lock.json.

Since to me it is not any harm to using both them into one project.

I use npm and yarn (50/50) in dev environment. But on ci/di i use only yarn because it is faster, and i reduce build minutes thanks yarn.

Also they both create different .lock file names.


Nobody told about the lock files.

Imagine you use yarn on dev environment, and yarn on your build/production servers. When you install a package using yarn, and your project works on your computer, you probably would want to keep it working on a production environment (your server).

That being sad, you would commit you yarn.lock file, that "saves" the exact versions of each package you have, when the project ran on your computer.

On your buid/production server you should call yarn install, but asking to keep all the same versions with --frozen-lockfile parameter. Some even say "yarn install --frozen-lockfile should be the default behavior", and I agree.

Then... another dev jump in the project you are working and install a package using npm (other than yarn). That new package will not be included in your yarn.lock file, but, a new package-json.lock file would be created, telling the exact packages versions it is using.

When that commit arrives on your build/production server, it will crash, fail, because that new package doesn't exist on yarn.lock file. Someone would need to pull that changes, call a yarn to install the dependences and update the lock file with the new package dependences, and push it again to the repo.

A quick point about using the lock file or not. If you call a 'yarn install' on your build/production server some weeks after the last install on your machine, the server would have many other new versions than your last "stable" version. It already happened to me many times.

I published recently the package-locks-checks, which help ensure you have not just one lock file but also locked each package version on your project.


Here https://classic.yarnpkg.com/en/docs/migrating-from-npm/ we may find a confirmation that Yarn's resolution algorithm is compatible with NPM resolution algorithm.

Inside a npm project (with package.json) if you run yarn it will read your node_modules folder (using the resolution algorithm) and create a yarn.lock file with your project's locked dependency tree.

Based on that I assume that they are compatible inside the same project.

Update 30/04/2021

My original reply refers to yarn 1 (classic), although I've just created a React app with create-react-app tool and it creates the project's repository with package.json + yarn.lock by default. Again, another demonstration that it's fine (even with the warning mentioned by Dave Pile).

At the end of the day this is a matter of putting both together to work and checking yourself...

Related

Open dropdown(in a datagrid view) items on a single click
any good tool for makefile generation? [closed]
java.io.StreamCorruptedException: invalid stream header: 7371007E
How can I get LWP to validate SSL server certificates?
FileResult with MemoryStream gives empty result .. what's the problem?
Call has been made on garbage collected delegate in C#?
How does Haskell tail recursion work?
Stop jasmine test after first expect fails
How to use an image as a point in ggplot?
Python list greater than number [duplicate]
Count Returning blank instead of 0
Can a span be closed using <span />?