←back to thread

A critique of package managers

(www.gingerbill.org)
109 points gingerBill | 1 comments | 08 Sep 25 12:18 UTC | HN request time: 0.199s | source
Show context
Octoth0rpe ◴[08 Sep 25 13:16 UTC] No.45167870[source]
> Each dependency is a potential liability.

I mean, sure. So what does the solution look like? From my perspective it looks like a tool that is able to update your dependencies so that you can easily pick up bug fixes in your dependencies, which sounds an awful lot like a package manager.

> JavaScript is great example of this as there are multiple different package managers for the language (npm being one of the most popular), but because each package manager defines the concept of a package differently, it results in the need for a package manager manager.

This doesn't seem like a strong point to me. Yes, there are things like yarn, pnpm, etc. But IIUC practically all npm alternatives still define packages in the same way (a package.json at the root hosted by npmjs (or your private repo)), and the differences are ergonomic/performance related.

> [that each package manager defines the concept of a package differently] is why I am saying it is evil, as it will send you to hell quicker.

Then I think it's more of a language problem, not a problem with the concept of a package manager.

replies(5): >>45167879 #>>45167968 #>>45167990 #>>45167997 #>>45168723 #
Sesse__ ◴[08 Sep 25 13:27 UTC] No.45167990[source]
> I mean, sure. So what does the solution look like?

Obviously taking on fewer such liabilities?

replies(1): >>45168037 #
Octoth0rpe ◴[08 Sep 25 13:31 UTC] No.45168037[source]
The article specifically excludes this as _the_ solution to the problem:

> I am not advocating to write things from scratch.

and is clear in its target:

> That’s my general criticism: the unnecessary automation.

Yes, fewer dependencies is a solution, but it does not seem to be the author's position.

replies(1): >>45168839 #
1. gingerBill ◴[08 Sep 25 14:34 UTC] No.45168839[source]
That is my position... again, I am not sure how you got this conclusion from the article.

The "I am not advocating to write things from scratch" is more of a caveat to the people I know will comment NIH nonsense rather than anything productive.

But yes, my position is minimize dependencies and slow and carefully vet them too, and do not automate this process.