Theoretically, package managers are a marvel! The idea of just running one command and having everything magically created, updated, and compiled for you, sounds simply awesome.
Not everyone is completely sold though. There are a number of great developers who think package managers suck. And even many of those who use them as part of their day-to-day coding activities still seem to have a love-hate relationship with these popular tools.
This article presents the benefits of and complaints against package managers.
Even though this article was prompted by some of my frustrations with package managers, the purpose of this article is not to argue for or against these tools. I just present their pros and cons without going into detailed discussions of my recent experiences.
I’ll write some more personal musings on this subject another day.
Pros Of Package Managers
If you’re doing small scale development, you may not find any of the pros below to be extremely important. But when you move on to bigger work, their benefits become more obvious. In fact, it can be argued that any large scale software development work will be impossible these days without the use of one bundling tool or another.
1. They Let You Know The Library Versions You’re Using: With a package manager, you get a configuration that shows which library versions you’re using. The package manager also makes sure that the configuration information is correct. Knowing the exact libraries you use (and their versions) is very important in situations when you need to update a library due to a bug or security issue. It is also important even if you just want to check if a recently announced security issue affects you.
2. Additional Features During Installation: Some package managers provide this. NuGet package manager for example, will add content files and dependencies to your .csproj file. It can also add configuration elements to your config file.
3. Centralized Distribution And Hosting: With package managers, there’s no need to depend on the website of some random library anymore. Even if the original site goes out of business, a package manager’s website will continue to hold every version of the library that was ever created. In addition, developers don’t need to hunt down and keep track of many websites containing the packages they use often. With package managers, they have one go-to spot to browse for packages and package versions.
4. Package Managers Help Prevent Incompatible Files From Mixing Together: If someone doesn’t clean things up properly before an upgrade, some folders may end up containing mixed/incompatible versions of files and/or libraries. When a package manager manages the entire folder, this can’t happen. And since package managers update everything together, it becomes harder to use incompatible dependencies. The software will take care of installing different versions as needed. And it will throw different errors or warnings when you attempt to mix incompatible versions.
5. They Help Discourage Global Installations Of Dependencies: The conventional way of installing dependencies provided by most package managers is localized to unique folders (not global).
6. The Crowd Behind Popular Package Managers Help Establish Useful Conventions: This means that when a new developer is hired to join a team, they don’t necessarily need to learn the package management conventions used in this particular team. If the team already uses a popular package manager (like npm), the newly hired developer (who already knows the conventions used in npm) can hit the ground running pretty quickly. They won’t need to spend a lot of time figuring out how libraries are managed in the team’s code base.
7. They Help Avoid Checking In Large Binaries: Large binaries should not be checked into source control. And since package managers will generally download packages on the fly, they automatically help eliminate the need to check such binaries in.
8. Standard Way Of Distributing Your Own Dependencies: You can use package managers to version and distribute your own dependencies that you won’t be uploading to the repository.
9. They Document Your File Version Numbers In A Centralized Place: No need to right-click DLLs to find their versions anymore. Just look at the package list of files in the package manager. In Python, if a library author did not include the version number in a .py file, you won’t even be able to tell the file version by looking at the file itself.
Cons Of Package Managers
Most of these cons are amplified when you’re just doing small scale development. When you move on to bigger work, package managers actually begin to shine (somewhat).
1. Overkill: For small and low maintenance libraries, package managers may be overkill. You shouldn’t have to install an extra program and configure software just to copy and paste a handful of files to the server. True, package managers are great for some people and for large projects. But for small solutions, they often require more work and effort than simply dropping a folder in your project and referencing it.
2. Learning Curve: Many beginner developers find the “Composer barrier” (or “[insert package manager] barrier”) overwhelming. When such beginner developers come across libraries and packages on github (and elsewhere) that only list a package manager installation method, they may be discouraged from experimenting with these new libraries and packages just because of the extra learning curve. Library devs can mitigate this problem by simply including installation instructions for both bundling (using a package manager) and requiring (regular copy and paste) approaches. But the reality is that there are tons of libraries online with only package manager installation instructions.
3. Herd Mentality: Open source software is supposed to be all about freedoms. But a good argument can be made that Composer and other popular package managers quickly accumulate a cult-like following – inherently “forcing” developers to go with the crowd instead of think for themselves. In today’s software ecosystem, developers (who are supposed to be very free-thinking and innovative) are herded into specific third-party software (package managers and faddish frameworks) in order to do web development. But what caliber of software developers does this herd mentality create? Arguably, people who hide behind “just use [insert package manager]” have no idea what they are doing at all.
4. Unnecessary Dependency Nightmare: Including a couple of classes should be a quick 30 second job, max. With Composer for example, you can easily spend much longer doing a straightforward thing only to end up with a complex multiple-dependency app that breaks every time there’s an update somewhere. Anyone who has done significant work with package managers will agree that even though dependency management is one of their primary selling points, managing dependencies with package managers can still be a nightmare.
5. Vague Or Esoteric Messages: Error messages with package managers are very frequent and many times not very clear. Documentation is hardly ever very clear too. So, you may often find yourself troubleshooting vague messages that can rightly be referred to as “esoteric garbage”. Sometimes, it may even be hard to tell if an output message is an error message or a success message.
6. Extra Layer Of Stuff To Troubleshoot: With package managers, you may have to start a long debug process (to troubleshoot issues with the package manager itself) before you even begin coding. Since the package manager is supposed to be one of the common tools in a developer’s tool set, having to troubleshoot it’s installation process before getting to work is NOT acceptable. Depending on the project size, this may even completely negate the potential productivity boost that package managers claim to offer in the first place.
7. How Well Do You Trust That Repo For Your Production Workload? Some developers don’t like the idea that their packages come from some mystery cloud place that could very well be unreliable. This is especially true for stuff that will be put into production usage.
There you have it – a detailed list of the advantages and disadvantages of package managers. Did I miss anything? Please let me know in the comments section below.