By now you have probably heard about the infamous “npm-gate” that swept through the developer community over the last week. It has been brought up, discussed, covered, meta-discussed, satirized, and even featured by some mainstream media. Evidently the nerds have managed to stir up some serious trouble again, and it only took them 11 lines of that strange thing they call “code”.
No good things in small packages
When looking for a culprit, the one party that everyone pounced on immediately was of course the npm itself. With its myriad of packages that could each fit in a tweet, it invites to create the exact house of cards we’ve seen collapse.
This serves as a good wake-up call, of course. But it also compels to throw the baby out with the bathwater,
and draw a conclusion that may be a little too far-fetched. Like perhaps declaring the entire idea of
managing dependencies “the npm way” suspect. If packages tend to degenerate into something as ludicrous as
isArray — to say nothing of
left-pad, which started the whole debacle — then maybe this approach
to software reusability has simply bankrupted itself?
A world without *pm
I’m right away responding to that with a resounding “No!”. Package management as a concept is not responsible for the poor decision making of one specific developer collective. And anyone who might think tools like npm do more harm than good I ask: have you recently written any C++?
See, C++ is the odd one among languages that at least pretend to be keeping up with the times. It doesn’t present a package management story at all. That’s right — the C++ “ecosystem”, as it stands now, has:
- no package manager
- no repository of packages
- no unified way of managing dependencies
- no way to isolate development environments of different projects from one another
Adding any kind of third-party dependency to a C++ project — especially a portable one, which is allegedly one of C++’s strengths — is a considerable pain, even when it doesn’t require any additional libraries by itself. And environment isolation? Some people are using Linux containers (!) for this, which is like dealing with a mosquito by shooting it with a howitzer.
To build a C++ binary, you must first build the userspace.
But hey, at least they can use
So, string padding incidents aside, package managers are absolutely essential. Sure, we can and should discuss the merits of their particular flavors and implementation details —like whether it’s prudent to allow “delisting” of packages. As a whole, however, package managers deserve recognition as a crucial part of modern language tooling that we cannot really do without.