Like Python, have a large and featureful standard library such that > 80% of NPM packages are redundant. Other languages allow you to make very large projects with only a few tens of dependencies. JavaScript requires THOUSANDS.
With this in place, stop with the recursive dependencies, immediately and forever. Every other package manager under the sun installs the dependencies next to each other.
I’d say pip is saner, though not by much as its support for private registries is very bad and seems designed to facilitate supply-chain attacks. I’ve heard a lot of good things about cargo but haven’t used it enough myself to have a strong opinion.
The lack of a standard library is really the worst offender. Most of a given node_modules directory is filled with middleware to handle JS’s lack of everything.
Compared to other languages it’s still very barebones – but admittedly some of the bloat is also because the JS world is kinda set in its ways. I still see people use jQuery for basic selector queries and SASS for basic CSS variables.
Another factor is that developers these days assume that users have fast unmetered connections. Loading 800 kB of minified gzipped JS from ten different domains is seen as no big deal. When the cost of adding piles of dependencies is considered nil there’s no impetus to avoid them.
That last point truly bothers me, too. It’s fine to have a bloated work environment (some people use Visual Studio, after all). But that complexity should not get offloaded to your users. Webdevs need to do better on this front, it’s not 2015 anymore.
Pip is definitely not saner. The way installs are centralized has bitten me in the ass multiple times, when I wanted to have two different versions of Conan installed on a single machine.
And I know there are workarounds like virtualenvs, but they’re complex hacks. Stockholm syndrome yadda yadda yadda.
If it was sane, downloads would be centralized (no point in downloading the same package over and over again) but installs would be project-local (symlinks? There are multiple ways to do this, cf Conan)
Sure, NPM is wasteful with storage space but I’ll take inefficient over brittle any day.
It’s saner, not perfect. With virtualenvs it does basically what you describe except that it re-downloads everything for every virtualenv, but that does not typically matter much since it’s not downloading a billion dependencies.
With NPM there’s no choice but to have hundreds of duplicates installed for every project, that’s not just inefficient but it is a security, maintainability, and auditability nightmare.
NPM is definitely saner for that use case because it works out of the box. Pip is not because it is based on shakier foundations. With NPM, you don’t get to a point where you rely on things to work correctly, and they suddenly don’t and you have trouble understanding why. And it does not force me to look at its nuts and bolts to allow me to work with it.
I can afford big node_modules directories, even if it’s not optimal. It’s still small compared to the cruft I’ve accumulated on other projects I’ve worked on with other technologies. Remember the order of priority of things: make it work >> make it efficient. Software engineering is about delivering software, it’s not an art. It doesn’t have to be pretty everywhere.
I will concede that NPM is not perfect. Despite its flaws, I love how Conan solves the issue we’re talking about.
IDK any full-time JS or Node developers but they seem like they’re lazy and all have ADD. Packages developed for years still on version 0.x, packages depending on deprecated packages that were replaced by core functionality, packages still using CommonJS format (which I actually like better unfortunately), and popular packages without an update for 3 years. It feels like the entire ecosystem is for hobbyists only and businesses are like, “Cute language, but not for us.”
I’d say
pipis saner, though not by much as its support for private registries is very bad and seems designed to facilitate supply-chain attacks. I’ve heard a lot of good things aboutcargobut haven’t used it enough myself to have a strong opinion.The lack of a standard library is really the worst offender. Most of a given node_modules directory is filled with middleware to handle JS’s lack of everything.
Is that still a valid argument in 2024? The standard library has grown since the leftpad scandal. JS does have standard leftpad now.
It’s a genuine question, I no longer write Javascript for a living.
Compared to other languages it’s still very barebones – but admittedly some of the bloat is also because the JS world is kinda set in its ways. I still see people use jQuery for basic selector queries and SASS for basic CSS variables.
Another factor is that developers these days assume that users have fast unmetered connections. Loading 800 kB of minified gzipped JS from ten different domains is seen as no big deal. When the cost of adding piles of dependencies is considered nil there’s no impetus to avoid them.
That last point truly bothers me, too. It’s fine to have a bloated work environment (some people use Visual Studio, after all). But that complexity should not get offloaded to your users. Webdevs need to do better on this front, it’s not 2015 anymore.
Pip is definitely not saner. The way installs are centralized has bitten me in the ass multiple times, when I wanted to have two different versions of Conan installed on a single machine.
And I know there are workarounds like virtualenvs, but they’re complex hacks. Stockholm syndrome yadda yadda yadda.
If it was sane, downloads would be centralized (no point in downloading the same package over and over again) but installs would be project-local (symlinks? There are multiple ways to do this, cf Conan)
Sure, NPM is wasteful with storage space but I’ll take inefficient over brittle any day.
It’s saner, not perfect. With virtualenvs it does basically what you describe except that it re-downloads everything for every virtualenv, but that does not typically matter much since it’s not downloading a billion dependencies.
With NPM there’s no choice but to have hundreds of duplicates installed for every project, that’s not just inefficient but it is a security, maintainability, and auditability nightmare.
NPM is definitely saner for that use case because it works out of the box. Pip is not because it is based on shakier foundations. With NPM, you don’t get to a point where you rely on things to work correctly, and they suddenly don’t and you have trouble understanding why. And it does not force me to look at its nuts and bolts to allow me to work with it.
I can afford big node_modules directories, even if it’s not optimal. It’s still small compared to the cruft I’ve accumulated on other projects I’ve worked on with other technologies. Remember the order of priority of things: make it work >> make it efficient. Software engineering is about delivering software, it’s not an art. It doesn’t have to be pretty everywhere.
I will concede that NPM is not perfect. Despite its flaws, I love how Conan solves the issue we’re talking about.
IDK any full-time JS or Node developers but they seem like they’re lazy and all have ADD. Packages developed for years still on version 0.x, packages depending on deprecated packages that were replaced by core functionality, packages still using CommonJS format (which I actually like better unfortunately), and popular packages without an update for 3 years. It feels like the entire ecosystem is for hobbyists only and businesses are like, “Cute language, but not for us.”