this post was submitted on 11 Feb 2024
128 points (95.7% liked)

Programming

17686 readers
130 users here now

Welcome to the main community in programming.dev! Feel free to post anything relating to programming here!

Cross posting is strongly encouraged in the instance. If you feel your post or another person's post makes sense in another community cross post into it.

Hope you enjoy the instance!

Rules

Rules

  • Follow the programming.dev instance rules
  • Keep content related to programming in some way
  • If you're posting long videos try to add in some form of tldr for those who don't want to watch videos

Wormhole

Follow the wormhole through a path of communities [email protected]

founded 2 years ago
MODERATORS
[email protected]
[email protected]
[email protected]
128
When "Everything" Becomes Too Much: The npm Package Chaos of 2024 (socket.dev)
submitted 10 months ago* (last edited 10 months ago) by [email protected] to c/[email protected]
38 comments fedilink hide all child comments
you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 16 points 10 months ago (19 children)

This is hilarious, but now I'm wondering, what would a saner package manger look like?

[–] azertyfun 27 points 10 months ago (15 children)
  1. Like Python, have a large and featureful standard library such that > 80% of NPM packages are redundant. Other languages allow you to make very large projects with only a few tens of dependencies. JavaScript requires THOUSANDS.
  2. With this in place, stop with the recursive dependencies, immediately and forever. Every other package manager under the sun installs the dependencies next to each other.

I'd say pip is saner, though not by much as its support for private registries is very bad and seems designed to facilitate supply-chain attacks. I've heard a lot of good things about cargo but haven't used it enough myself to have a strong opinion.

[–] [email protected] 4 points 10 months ago (6 children)

The standard library thing is a really valid point, but how do you avoid recursive dependencies? Do you just not allow library packages to depend on anything?

pip is saner

Is it? It is very bare bones in my experience, I could never bring myself to use it until they make it a more fully fledged tool, such as the cargo you mentioned, yes

[–] labsin 5 points 10 months ago (1 children)

Other package managers, like nuget, throw errors if all dependencies on a package cannot be met by a single version.

This is probably the result of it copying all libraries in the same output directory and that .net cannot load 2 different versions of the same library so more an application restriction.

The downside of this is that packages often can't use newer features if they want to not block the users of that library and that utility libraries have to have his backwards compatibility so applications can use the latest version while dependent libraries target an older version. Often applications keep using older versions with known security issues.

[–] [email protected] 1 points 10 months ago

Damn, sounds like a big headache x.x

load more comments (4 replies)
load more comments (12 replies)
load more comments (15 replies)