I'm in the position that I actually find npm / yarn the best ecosystem. Whenever I use something else I always end up stubbing my toe into something thats missing / feels wrong.

Ex. Cargo seems to neither have a concept of devDependencies nor peerDependencies.

@zkat__ I also can't understand why it wouldn't have an "add" command to add a new dependency. And I'm no fan of Toml, json is greate (easy to parse and build tooling around), and the better option in my opinion would be json5.
@zkat__ C / C++ seems to just not have language package managers. The linux / bsd crowd seem to have decided that the system package manager also should be the language package manager. Which might have been fine if every Linux distro used the same system package manager.
@zkat__ Instead we end up with a N x M problem. Where we have a bunch of different operating systems and they all support multiple system package managers. So there's no easy way of distributing, referencing and updating C / C++ packages.
@zkat__ It is also my opinion that the compiler / runtime should be a package dependency. I don't like Rust's split between rustup and cargo (they should have been one tool). Similarly it would be better if you added Node as a dependency to package.json, that way we wouldn't need NVM.
@zkat__ Lock-files are great, but I'm always surprised that they aren't built in a way so that Git can more easily automatically resolve merge conflicts. Maybe package managers could supply a Git hook for fixing merge conflicts in lock-files?
@zkat__ I'm not to happy that Cargo doesn't have a dedicated command for downloading dependencies. I don't want it to download all its dependencies when I run the build, I would want to do that beforehand as its own step. How else am I to cache the dependencies in buildpipelines / Docker
@zkat__ I still don't know how Go handles its dependencies. Whatever they did with requiring a GOPATH when it first came out was horrible. I feel like any new programming language that comes out should solve their package management first before releasing something into the public.
@zkat__ In fact I feel like any new programming language should be built around package management! Semver is okay, but not great. There should be no reason to manually have to set version numbers. But that would mean that the compiler would have to come up with a version number.
@zkat__ That should be possible if the language was built around supporting it.
@zkat__ I feel like every package manager should have a command to output their dependency tree as a graphviz Dot file, so that you could easily graph it. Especially if you have a monorepo with multiple workspaces.
@zkat__ And why don't package managers come with petter tooling around reviewing and upgrading dependencies? Let me easily get a list of dependencies and filesize. Give me a linter to ensure that packages gets updated.
@zkat__ Let me set max size for libraries so that I can ensure that I don't pull in to big libraries.
@zkat__ Yarn Berry's idea of committing the yarn executable to the Git repo so that it to is versioned (and therefor is versioned between developers / CI servers) is a great idea! How well it works in practice I have yet to see.
@zkat__ I'm not a fan of Yarn keeping a single lock file for all of it's workspaces in a monorepo. It makes building things inside docker a bit weird, it creates more opportunities for merge conflicts. I feel like there should be a better solution for this.
@zkat__ Lock-files in general feel like they store to much information. There should be an algorithm to reduce what information is needed, and to find a minimal set. I remember seeing a project that supposedly fixed this in another ecosystem.
@zkat__ This came out as a bit of a rant, I'm afraid that I could keep going for quite a while. Feel free to hit me up if you'd like to talk more about this. Then again you probably have know a lot more than me about all this having worked with building this kind of stuff.
@zkat__ @UnrollHelper

More from Tech

Recently, the @CNIL issued a decision regarding the GDPR compliance of an unknown French adtech company named "Vectaury". It may seem like small fry, but the decision has potential wide-ranging impacts for Google, the IAB framework, and today's adtech. It's thread time! 👇

It's all in French, but if you're up for it you can read:
• Their blog post (lacks the most interesting details):
https://t.co/PHkDcOT1hy
• Their high-level legal decision: https://t.co/hwpiEvjodt
• The full notification: https://t.co/QQB7rfynha

I've read it so you needn't!

Vectaury was collecting geolocation data in order to create profiles (eg. people who often go to this or that type of shop) so as to power ad targeting. They operate through embedded SDKs and ad bidding, making them invisible to users.

The @CNIL notes that profiling based off of geolocation presents particular risks since it reveals people's movements and habits. As risky, the processing requires consent — this will be the heart of their assessment.

Interesting point: they justify the decision in part because of how many people COULD be targeted in this way (rather than how many have — though they note that too). Because it's on a phone, and many have phones, it is considered large-scale processing no matter what.

You May Also Like

Trump is gonna let the Mueller investigation end all on it's own. It's obvious. All the hysteria of the past 2 weeks about his supposed impending firing of Mueller was a distraction. He was never going to fire Mueller and he's not going to


Mueller's officially end his investigation all on his own and he's gonna say he found no evidence of Trump campaign/Russian collusion during the 2016 election.

Democrats & DNC Media are going to LITERALLY have nothing coherent to say in response to that.

Mueller's team was 100% partisan.

That's why it's brilliant. NOBODY will be able to claim this team of partisan Democrats didn't go the EXTRA 20 MILES looking for ANY evidence they could find of Trump campaign/Russian collusion during the 2016 election

They looked high.

They looked low.

They looked underneath every rock, behind every tree, into every bush.

And they found...NOTHING.

Those saying Mueller will file obstruction charges against Trump: laughable.

What documents did Trump tell the Mueller team it couldn't have? What witnesses were withheld and never interviewed?

THERE WEREN'T ANY.

Mueller got full 100% cooperation as the record will show.