Default to Yarn

[dternyak]

Points to consider:

1. electron-builder recommends yarn (TODO: find source)
2. yarn has supposed security benefits (TODO: find source)
3. yarn is more performant than npm (TODO: find source)

[skubakdj]

1. The NPM page for electron-builder has the brief statement

Yarn is strongly recommended instead of npm.

which links out to this issue as an explanation.

2. Here's a neat article from last December comparing the two. Quoting its section on security:

A major problem with npm is that it automatically runs code from dependencies and permits packages to be added on the fly, While this feature comes with its conveniences, it also creates security vulnerabilities. Since Yarn only installs from your yarn.lock or package.json files, it’s considered to be more secure, which is increasingly important in today’s world. Yarn also makes use of checksums before installation to ensure the integrity of each package.

3. Here's a Medium post by Netscape comparing performance. Yarn comes out ahead of NPM. In my experience, I've found Yarn to be significantly faster than NPM when doing a fresh install of node modules.

[HenryNguyen5]

Don't really agree with the security article now that npm5 is default, there shouldn't be any difference security wise. Definitely agree with the performance boost though, and yarn having its own offline cache helps a lot on intermittent internet connections.

[HenryNguyen5]

Currently encountering this issue with yarn at times: nodejs/node-gyp#809 (comment)

[SharonManrique]

Added to Asana