Package managers that package package managers
9 hours ago
- #dependency_hell
- #software_ecosystem
- #package_managers
- A cursed table illustrates a loop where package managers install each other, starting with PyPI installing Node.js and npm installing Python.
- System package managers like AUR, Homebrew, and nixpkgs pack many managers, but are rarely packaged themselves.
- Language registries like PyPI, npm, and crates.io host cross-language tools, with PyPI being the densest source.
- Many package managers, such as pip and npm, ship themselves on their own registries for updates.
- Security vulnerabilities in tools like pip lead to multiple CVEs across different package managers, complicating tracking.
- Finding packages by name across registries is unreliable due to naming conflicts; using repository links yields better results.
- An 11-hop chain demonstrates installing an Elm compiler through nested managers, starting from Arch Linux.
- A CSV file on GitHub invites contributions to extend the package manager matrix.