Forem: Younes Merzouka

Picking a Package Manager for Your CI/CD Pipeline

Younes Merzouka — Sun, 15 Mar 2026 22:12:22 +0000

If you want to ship fast then CI/CD is the most important thing for you to consider. But have you ever thought "Does the package manager I use really matter for CI/CD?". This might not be an issue for other languages like Python, but JavaScript does have a few options to choose from: some claiming to be the fastest, others prioritizing developer experience and disk usage, and then there's good old NPM.

In this blog post we'll look into different package managers, examples of how to use each, and how well each performs when it comes to CI/CD pipelines. Of course, with everybody's favorite: Benchmarks.

The package managers we will discuss are PNPM, NPM, Yarn and Bun.

Setup

The application used is the standard NestJS starter app, running on a GitLab CI pipeline. Below are the Dockerfile for each of the package managers with a brief explanation of the flags used and some extra info.

Note: We will not focus on securing the images for now, so the examples don't include any security measures. Distroless is used to minimize the size of the final container image.

NPM

The ci option ensures that package-lock.json is used, preventing any accidental changes to dependency versions. --omit=dev ensures only production dependencies are installed.

FROM node:22.22.1-slim AS base
WORKDIR /app

FROM base AS install
COPY ./package.json ./package-lock.json ./
RUN npm ci

FROM install AS build
COPY . .
RUN npm run build

FROM base AS deps
COPY ./package.json ./package-lock.json ./
RUN npm ci --omit=dev


FROM gcr.io/distroless/nodejs24-debian13 AS prod
WORKDIR /app
COPY --from=build /app/dist ./dist
COPY --from=deps /app/node_modules ./node_modules/
EXPOSE 3000
CMD [ "/app/dist/main.js" ]

PNPM

--frozen-lockfile has the same effect as npm ci — it locks the install to what's in the lockfile. The PNPM global store is placed at /pnpm inside the Docker image, configured via PNPM_HOME.

FROM node:22.22.1-slim AS base
ENV PNPM_HOME="/pnpm"
ENV PATH="$PNPM_HOME:$PATH"
RUN corepack enable
WORKDIR /app

FROM base AS install
COPY ./package.json ./pnpm-lock.yaml ./
RUN pnpm install --frozen-lockfile

FROM install AS build
COPY . .
RUN pnpm run build

FROM base AS deps
COPY ./package.json ./pnpm-lock.yaml ./
RUN pnpm install --frozen-lockfile --prod


FROM gcr.io/distroless/nodejs24-debian13 AS prod
WORKDIR /app
COPY --from=build /app/dist ./dist
COPY --from=deps /app/node_modules ./node_modules/
EXPOSE 3000
CMD [ "dist/main.js" ]

Yarn

The default Yarn configuration that comes with NestJS uses the old classic version rather than the modern one with Plug'n'Play. To upgrade, run yarn set version stable, then enable PnP with yarn config set nodeLinker pnp — this skips node_modules entirely. Then install with yarn install. For the rest of this post, "Yarn" refers to this latest Plug'n'Play version.

FROM node:22.22.1-slim AS base
WORKDIR /app
RUN corepack enable

FROM base AS build
COPY package.json yarn.lock .yarnrc.yml ./
RUN yarn install --immutable
COPY . .
RUN yarn build

FROM base AS deps
COPY package.json yarn.lock ./
RUN corepack enable \
&& yarn workspaces focus --production

FROM gcr.io/distroless/nodejs24-debian13:debug AS prod
WORKDIR /app
COPY --from=deps /root/.yarn/berry/cache /root/.yarn/berry/cache
COPY --from=deps /app/.pnp.cjs /app/.pnp.loader.mjs ./
COPY --from=deps /app/.yarn ./.yarn
COPY --from=build /app/dist ./dist
EXPOSE 3000
CMD [ "--require", "./.pnp.cjs", "dist/main.js" ]

Bun

FROM docker.io/oven/bun:1.3-alpine AS base
WORKDIR /usr/src/app

FROM base AS install
COPY ./bun.lock ./package.json ./
RUN bun install --frozen-lockfile

FROM install AS build
COPY . .
RUN bun run build

FROM docker.io/oven/bun:1.3-alpine AS prod
WORKDIR /app
COPY --from=build /usr/src/app/dist ./dist
COPY --from=install /usr/src/app/node_modules ./node_modules
EXPOSE 3000
ENTRYPOINT [ "bun", "dist/main.js" ]

How Package Managers Work — and Why It Matters for CI

Before jumping to the benchmarks, it's worth understanding what actually differentiates these package managers under the hood, since their design choices directly affect both install speed and image size.

PNPM

PNPM's main goal is solving the disk space problem that node_modules are notorious for. On a typical machine, every project gets its own full copy of every dependency — meaning if you have ten projects all using React, you have ten copies of React on disk.

PNPM solves this by maintaining a single global content-addressable store (pointed to by $PNPM_HOME), where every package file is stored exactly once. Each project's node_modules then contains hard links pointing back to that central store rather than actual copies of the files. To keep the store lean, PNPM also tracks file-level changes between package versions using hashes — only storing the differing files, not a full new copy of the package.

Beyond disk savings, PNPM also addresses a subtle but important issue called phantom packages. Here's the problem: NPM has historically hoisted dependencies — meaning if your dependency express depends on lodash, NPM would move lodash up into the root node_modules folder, making it accidentally importable in your own code. Your project would work even though you never listed lodash in package.json. If express later drops it or changes its version, your code silently breaks.

PNPM avoids this by keeping each package's dependencies isolated under node_modules/.pnpm/package@version/node_modules/, and exposing only your direct dependencies as symlinks at the root of node_modules. This makes the dependency tree accurate and predictable.

What this means for Docker

While PNPM's central store is extremely useful during development — especially in monorepos — it doesn't give you the same benefit inside a Docker container. Each container is its own isolated environment with its own dependencies, so the global store never gets reused across builds the way it would on a developer machine. In practice, PNPM ends up behaving similarly to NPM in a container context.

Bun

Bun takes a fundamentally different approach to performance: it treats package installation as a systems problem rather than a JavaScript problem.

The core of this is Bun being written in Zig, a compiled systems language, rather than JavaScript. This alone removes a significant layer of overhead. But Bun also targets three specific bottlenecks that slow down Node.js-based package managers:

System calls: Node.js uses libuv, a C library, to make OS-level calls for things like reading files and managing threads. Each call involves some compatibility overhead, and Node.js adds further overhead managing its thread pools. Bun calls the OS more directly and with fewer round-trips. You can see this concretely in the strace output below, from Bun's blog:

Benchmark 1: strace -c -f npm install
    Time (mean ± σ):  37.245 s ±  2.134 s [User: 8.432 s, System: 4.821 s]
    Range (min … max):   34.891 s … 41.203 s    10 runs

    System calls: 996,978 total (108,775 errors)
    Top syscalls: futex (663,158),  write (109,412), epoll_pwait (54,496)

  Benchmark 2: strace -c -f bun install
    Time (mean ± σ):      5.612 s ±  0.287 s [User: 2.134 s, System: 1.892 s]
    Range (min … max):    5.238 s …  6.102 s    10 runs

    System calls: 165,743 total (3,131 errors)
    Top syscalls: openat(45,348), futex (762), epoll_pwait2 (298)

Nearly 6× fewer system calls.

Manifest parsing: NPM reads package metadata from human-readable formats like JSON and YAML, which need to be parsed on every install. Bun stores this metadata in a binary format that can be loaded directly without parsing.

Decompression: When downloading packages (which are compressed tarballs), most tools decompress on the fly, guessing at buffer sizes and reallocating memory as data streams in. Bun instead downloads the full compressed file first, determines the exact buffer size needed using the gzip format, allocates it once, and then decompresses — eliminating unnecessary memory copies.

Bun also starts DNS lookups while reading package.json rather than waiting until after, trimming latency at the very start of the install process. There are a few more optimizations covered in the references if you want to go deeper.

Yarn

Yarn's Plug'n'Play mode works differently from both NPM and PNPM. Rather than populating a node_modules folder at all, Yarn downloads packages as .zip archives and stores them in a central cache folder (viewable via yarn config get cacheFolder — in our container, this is /root/.yarn/berry/cache).

At runtime, instead of Node.js resolving modules from node_modules, Yarn injects a custom loader (.pnp.cjs) that intercepts require() calls and loads modules directly from the .zip archives. The current install state is saved in .yarn/install-state.gz, and the package cache lives in .yarn/cache.

This design means no node_modules directory is created when you run yarn install — which also means no hoisting, no phantom packages, and significantly less I/O.

Why Yarn performed so well

The architecture above translates directly into install speed. Yarn only needs to download and archive packages, then generate the loader — no creating thousands of symlinks or hard links per file, simpler hoisting logic, no repeated I/O across a deep directory tree, and proper tracking of your project's dependencies. For a fresh Docker build where none of those steps can be cached, that's a meaningful advantage.

Result

Package Manager	Run 1 (f813c0c5)	Run 2 (ecb90ce2)	Run 3 (0938ee84)	Average Time	Average Size (MiB)
yarn	1:20	1:23	1:14	1:19	58.26
npm	1:49	2:06	1:51	1:55	57.32
pnpm	1:55	1:54	2:12	2:00	57.32
bun	2:06	2:01	2:14	2:07	72.14

Even though I personally expected Bun to win this, it ended up performing on par with NPM — and the extra few MiB don't really justify the switch. So the winner here is Yarn, by a clear margin.

I did some digging trying to explain why Bun underperformed, but couldn't find a satisfying answer. I'd be very interested in hearing your thoughts in the comments, and depending on the discussion, a deeper dive might be worth its own post.

References

What Rust Does Differently: A Beginner's Perspective

Younes Merzouka — Sat, 07 Mar 2026 22:11:29 +0000

Rust makes a lot of interesting decisions about how things work — what you can and cannot do, and how you do certain things. Coming from a mostly web development background, three concepts in particular caught my attention as a beginner: Mutability, Ownership, and Handling Null.

Mutability

Rust variables are immutable by default. So code like this in JavaScript:

let a = 0;
a += 1;

...wouldn't work in Rust:

let a = 0;
a += 1; // compiler error

To mutate a variable, you need to add the mut keyword:

let mut a = 0;
a += 1;

The reason is safety. This mechanism forces you to explicitly opt into mutability, which makes your code more deterministic and avoids problems — especially with concurrency, where two threads might otherwise modify the same variable without you realising it.

Mutable References

One thing that tripped me up early on was mutable references. Suppose we want to read from stdin:

let mut s = String::new();
io::stdin().read_line(&s); // passing a reference to s

This looks reasonable — similar to how you'd do it in C. But it actually results in a compiler error telling you that read_line expects a mutable reference. The correct version is:

let mut s = String::new();
io::stdin().read_line(&mut s);

You have to explicitly tell the compiler that the reference itself is mutable. Why this matters will become clearer once we talk about ownership.

Ownership

Managing allocated memory is a well-known challenge in systems programming, and there are a few common approaches:

Garbage collection — many high-level languages manage memory for you through a GC. This simplifies things for developers but can impact performance through "GC pauses", where the entire application halts while unused memory is freed. Not ideal for systems software.
Manual memory management — the approach C takes. You allocate memory and you're responsible for freeing it. This has historically led to many bugs and security vulnerabilities: null pointer dereferences, buffer overflows, use-after-free, and so on.

Rust takes a different approach through ownership.

Consider this example:

fn add_suffix(mut s: String, suf: &str) {
    s.push_str(suf);
    drop(s); // frees the heap memory
}

fn main() {
    let mut s = String::from("Hello, ");
    add_suffix(s, "World");
    println!("{}", s); // compiler error
}

The function add_suffix receives a String allocated on the heap, drops it (equivalent to free in C), and then main tries to access that freed memory — a classic use-after-free bug. Rust won't let this compile.

You might think the fix is simply to remove the drop:

fn add_suffix(mut s: String, suf: &str) {
    s.push_str(suf);
}

fn main() {
    let mut s = String::from("Hello, ");
    add_suffix(s, "World");
    println!("{}", s); // still a compiler error
}

But this still doesn't work. Passing s to add_suffix as an argument transfers ownership of s to that function.

So what does transferring ownership actually mean? In Rust, each heap-allocated value is owned by the scope in which it was created. When that scope ends, the memory is automatically freed. So when add_suffix returns, s is freed — and trying to use it in println! afterwards is accessing a dead memory region.

Here's another example of the same idea:

let p: &String;
{
    let s = String::from("Hello");
    p = &s;
} // s is dropped here, memory is freed
println!("{}", *p); // compiler error: p points to freed memory

The correct way to achieve what we originally wanted is through borrowing:

fn add_suffix(s: &mut String, suf: &str) { // takes a mutable reference
    s.push_str(suf);
}

fn main() {
    let mut s = String::from("Hello, ");
    add_suffix(&mut s, "World"); // lends s to the function
    println!("{}", s); // s is still valid here
}

By passing a reference (&mut s), main remains the owner of the memory. The function simply borrows it temporarily. When the function returns, the borrow ends — but the memory isn't freed, because main still owns it.

This same principle applies even without mutation. If you don't need to mutate the value, you use & instead of &mut. Now the reason you need &mut for mutable references (as we saw with read_line) should make a lot more sense.

Option

Rust doesn't have null. But there are situations where you genuinely want to express: "this function either returns a result, or nothing — not because of an error, but because there's simply nothing to return."

Consider this function:

fn get_slice_by_char(s: &str, needle: char) -> &str {
    for (i, c) in s.char_indices() {
        if c == needle {
            return &s[i..];
        }
    }
    return ?; // what do we return if the character isn't found?
}

null might seem useful here. For exactly these cases, Rust has Option<T>:

fn get_slice_by_char(s: &str, needle: char) -> Option<&str> {
    for (i, c) in s.char_indices() {
        if c == needle {
            return Some(&s[i..]);
        }
    }
    None
}

What makes Option<T> special is that it addresses the classic problem with null: forgetting to handle it. Option<T> forces you to explicitly deal with both cases. For example, this won't compile:

fn main() {
    let s: &str = get_slice_by_char("hello, there", 't');
    // compiler error: expected &str, found Option<&str>
}

The correct approach is to use match (similar to a switch statement) to handle both possibilities:

fn main() {
    let s: &str = match get_slice_by_char("hello, there", 't') {
        Some(slice) => slice,
        None => panic!("Character not found"),
    };
}

The compiler won't let you use the value inside an Option without first unpacking it — which means you can never accidentally forget to handle the "nothing" case.

These three concepts — mutability, ownership, and Option — felt strange to me at first coming from other languages. But once they click, you start to see how they all work together to make Rust code safe without needing a garbage collector. Pretty elegant, honestly.