Hunting for Gems: How Ruby's package management system evolved (opens in new tab)

(railsexplained.com)

69 pointsgreytape1y ago19 comments

19 comments

FWIW, I LOVE bundler and it absolutely kills me that npm, pip still haven't settled well in to the management of it.

Specifically, bundler allows side-by-side version installs and the program simply loads the version specified in the bundle.lock thus making the lock file the source of truth where as npm, pip, even poetry install whatever version exists at the path. This pushes the source of truth from the .lock to that path.

It's not the end of the world, but when you're testing library versions side-by-side you can easily get confused whether you remembered to run `install` between the switches.

StableAlkyne1y ago

> Specifically, bundler allows side-by-side version installs and the program simply loads the version specified in the bundle.lock

I'm surprised Python hasn't caught up to that. At best you can use Anaconda, but in order to have multiple versions of the same library, you end up having to create a new environment, which is another Python installation.

There are currently some nasty dependency issues caused by 3.11->3.12 breaking back compatibility in the standard library around the build system, alongside Numpy just kinda deciding semver doesn't matter between 1.20 and 2.0, that breaking changes don't warrant a major version bump if they tagged a deprecation warning on it. You just have to know their version scheme isn't really semver when pinning versions, which is lame of them, because ignoring that expectation has caused so many downstream breakages in the last couple of years.

So much could be solved if you could just say "this version of this package" in a dependency and not have to worry about compatibility on a completely different package

akx1y ago

> So much could be solved if you could just say "this version of this package" in a dependency

This can be done in the JS/TS world. It also occasionally breaks horribly in the JS/TS world. You might have multiple incompatible versions of a package in the tree when one dependency depends on one particular version, and the rest of your universe depends on another. It gets even worse when `Symbol`s come to play, since they'll be unique between those two versions.

hosh1y ago

It’s even worse when npm install modifies the package lock file.

It also doesn’t understand how to get packages from a git source.

From a release engineering perspective, this drives me batty.

weaksauce1y ago

i’ve said before that it’s like the npm people have made the worst possible design choice whenever asked for a decision. it’s insane how bad it is compared to bundler or comparable package management tools.

2 more replies

noirscape1y ago

As I understand it, the idea is that npm install is what's used during development, while npm ci/clean-install is what you use for deployments and your CI system.

It makes the pretty heavy assumption that a developer will always be able to bugfix the version differences.

1 more reply

hschne1y ago

> It also doesn’t understand how to get packages from a git source.

Not sure what you mean.

https://bundler.io/guides/git.html

1 more reply

michaelmior1y ago

> install whatever version exists at the path

Do you mean it uses whatever version exists in the path? I think that's a fair concern.

bankcust083851y ago

They still don't have cryptographic signatures widely signing gems despite deploying optional infrastructure to do it. What a waste and sad.

j / k navigate · click thread line to collapse

19 comments

irjustin1y ago

FWIW, I LOVE bundler and it absolutely kills me that npm, pip still haven't settled well in to the management of it.

It's not the end of the world, but when you're testing library versions side-by-side you can easily get confused whether you remembered to run `install` between the switches.

StableAlkyne1y ago

> Specifically, bundler allows side-by-side version installs and the program simply loads the version specified in the bundle.lock

So much could be solved if you could just say "this version of this package" in a dependency and not have to worry about compatibility on a completely different package

akx1y ago

> So much could be solved if you could just say "this version of this package" in a dependency

hosh1y ago

It’s even worse when npm install modifies the package lock file.

It also doesn’t understand how to get packages from a git source.

From a release engineering perspective, this drives me batty.

weaksauce1y ago

2 more replies

noirscape1y ago

As I understand it, the idea is that npm install is what's used during development, while npm ci/clean-install is what you use for deployments and your CI system.

It makes the pretty heavy assumption that a developer will always be able to bugfix the version differences.

1 more reply

hschne1y ago

> It also doesn’t understand how to get packages from a git source.

Not sure what you mean.

https://bundler.io/guides/git.html

1 more reply

michaelmior1y ago

> install whatever version exists at the path

Do you mean it uses whatever version exists in the path? I think that's a fair concern.

bankcust083851y ago

They still don't have cryptographic signatures widely signing gems despite deploying optional infrastructure to do it. What a waste and sad.

j / k navigate · click thread line to collapse