If It Quacks Like a Package Manager
3 days ago
- #package-managers
- #dependency-management
- #supply-chain-security
- Package managers are identified by features like dependency graphs, resolution algorithms, lockfiles, and integrity verification.
- GitHub Actions lacks a lockfile and integrity hashes, with mutable versions and unpinnable transitive dependencies.
- Ansible Galaxy uses resolvelib for dependency resolution but lacks a lockfile and has mutable versions with opt-in integrity checks.
- Terraform has a lockfile and integrity hashes for providers but modules use mutable git tags without lockfile protection.
- Helm charts have a lockfile and support transitive dependencies but mutable versions depend on the registry type.
- Common problems in tools with transitive dependencies include reproducibility, supply chain risks, override needs, mutable references, full-tree pinning, and integrity verification.
- Tools with these issues effectively function as package managers, regardless of their official designation.