New Features and Changes in npm@5: Detailed Overview and Comparison with Yarn

Recently npm released version 5.0 (npm@5), introducing automatic dependency‑tree recording, strong integrity checks, a rewritten cache system and other upgrades. This article reviews the new features and changes after practical use, and provides a brief comparison with Yarn.

Update Overview

According to the official Release Note, the main new functionalities of npm@5 are:

Default creation of package-lock.json to lock the dependency tree, using a new shrinkwrap format (adds lockfileVersion and other fields).

The --save flag becomes default; npm install now saves dependencies unless --no-save is specified.

Git dependency improvements: support for installing a specific semver version and execution of prepare scripts (including their devDependencies ).

File‑type dependencies installed from a local directory now use symlinks instead of copying files, speeding up installation.

New lifecycle scripts: prepack and postpack for npm pack / npm publish ; preinstall runs first and can modify node_modules .

Package publishing now generates both SHA‑512 and SHA‑1 checksums; downloads use strong integrity verification.

The entire cache system and related commands have been rewritten; options like --cache-min and --cache-max are removed, and the cache is now managed automatically by npm.

Registry priority is adjusted: configuration overrides the registry recorded in the lockfile, unless a different scope is used.

Additional optimisations include offline install fallback, inclusion of optionalDependencies in lockfiles, stricter handling of local tarballs, default notice log level, Windows node-gyp.cmd support, and replacement of ./cli.js with ./bin/npm-cli.js .

Feature 1: Lockfile

npm@5 automatically creates package-lock.json after the first npm install . This file records the exact dependency tree and is similar to the older npm-shrinkwrap.json , but is intended for development use and should be committed to version control.

When both package-lock.json and npm-shrinkwrap.json exist, the latter takes precedence.

For reference, the official specifications are:

npm-shrinkwrap.json

package-lock.json

npm-package-locks

Feature 2: Git Dependency Optimisation

Git dependencies can now be installed with a specific semver version, e.g.:

npm install git+https://github.com/chalk/chalk.git#semver:1.0.0

The prepare script is also supported; when declared, npm will install its devDependencies and run the script during installation.

Feature 3: File Dependency Optimisation

Local directory dependencies are now installed via symlinks (except for local tarballs), which speeds up the process:

npm install ../packages/mylib

npm install file://packages/mylib

Only npm supports this file:// specifier at present.

Feature 4: Cache Optimisation

The cache is now fully managed by npm. Commands like npm cache clean require the --force flag, and the old --cache-min / --cache-max options have been removed.

Performance Comparison

Using npm 5.0.3 and Yarn 0.24.6, a series of scenarios were benchmarked (first install, repeated install with/without cache, with/without lockfile, after deleting node_modules , etc.) against the official npm registry, Yarn registry and Taobao registry. The results show that Yarn is generally a bit faster, but the gap has narrowed considerably with npm@5.

Sample test package.json used:

{ "name": "test1", "version": "0.1.0", "private": true, "dependencies": { "react": "^15.5.4", "react-dom": "^15.5.4", "react-native": "^0.45.1", "react-redux": "^5.0.5", "redux": "^3.6.0" }, "devDependencies": { "babel-core": "^6.25.0", "babel-loader": "^7.0.0", "babel-preset-es2015": "^6.24.1", "babel-preset-react": "^6.24.1", "webpack": "^2.6.1" } }

The hardware used was a MacBook Pro (15‑inch, 2016) with a 2.9 GHz Intel Core i7 running macOS Sierra 10.12.3.

Known Bugs

npm@5 introduced many breaking changes, and early versions (e.g., 5.0.3) contain bugs such as incorrect dependency‑tree calculations after repeated installs, leading to missing sub‑dependencies or lockfile corruption. Users with high stability requirements should review the current bug list before upgrading.

Conclusion

npm@5 brings significant speed and usability improvements, making it a viable alternative to Yarn. Yarn still holds a slight performance edge in most scenarios, but npm@5’s gap is small. Choose the tool that best fits your workflow: continue with Yarn if it works for you, or upgrade to npm@5 for better compatibility with npm‑centric environments.