Clarify recommended package manager

[mcandre]

Node.js still comes with npm as the default package manager. And the official Node.js online documentation continues to list npm commands. However, the official Node.js Docker Hub images strangely contain yarn by default, which is not lockfile compatible with npm.

So which of these two package managers should Node.js users be using? If the answer is npm, then would be good to drop yarn from the next major Node.js release series tags on Docker Hub, in order to provide leaner images. This reduces confusion, storage costs, and network bills.

[aduh95]

would be good to drop yarn from the next major Node.js release series tags on Docker Hub, in order to provide leaner images. This reduces confusion, storage costs, and network bills.

Same apply for npm, do you think we should remove both?

So which of these two package managers should Node.js users be using?

Yarn, npm, and Node.js are three distinct projects, with different goals. Node.js users should use whatever suits their use case and their own preference (none, both, another package manager such as pnpm, etc.).

[richardlau]

Since this is specifically about the Docker images I'm going to transfer this over to https://github.com/nodejs/docker-node as the Docker working group has autonomy for what goes into those images.

[bri3d]

I am a strong advocate for the removal of both package managers from the blessed Docker images.

Package managers introduce a dependency surface area which makes the docker-node images harder to use in an audited corporate environment and limits their utility. Right now we take the base image, tag an image which uninstalls all package managers from the base image, and then copy our production Node app and dependencies into that image. It would be great not to have to do this, IMO a base image should be a base image.

It makes much more sense to me to install the package manager that a specific project needs as part of that specific project's build steps than to have multiple package managers included in a base image, as package mangers are a project specific dev dependency.

Otherwise, users are exposed to these sorts of annoying issues: npm/cli#3785 by default.

[SimenB]

Discussion about no package manager is duplicate of #404.
Discussion about only npm, no yarn is duplicate of #777.

(and note that node itself is embracing more than just npm, ref https://nodejs.org/api/corepack.html, which is available in the current LTS).

---

I think we should close this issue, whatever discussion comes out of it are covered in other, existent issues.

/cc @nodejs/docker