You can’t even use it without the documentation of the program that you want to install because some dependencies have to be installed manually, and even then there’s a chance of the installation not working because a unit test would fail.
cargo just works, it’s great and everyone loves it.
npm has a lot of issues but in general does the job. When docs say do ‘npm install X’ you do it and it works.
pip is a mess. In my experience doing ‘pip install X’ will maybe install something but it will not work because some dependencies will be screwed up. Using it to distribute software is pointless.
Really the fault of js since its standard library is so lacking (leftpad, anyone?), but js wasn’t built to do half the stuff it’s being asked to do, anyway.
It probably works for your own local project. After using it for couple of days to install some 3rd party tool my conclusion is that it has no idea about dependencies. It just downloads some dependencies in some random versions and than it never works. Completely useless.
Well if the file would be created by hand, that’s very cumbersome.
But what is sometimes done to create it automatically is using
pip freeze > requirements. txt
inside your virtual environment.
You said I don’t need to create this file? How else will I distribute my environment so that it can be easily used? There are a lot of other standard, like setup.py etc, so it’s only one possibility. But the fact that there are multiple competing standard shows that how pip handles this is kinds bad.
If you try to keep your depencies low, it’s not very cumbersome. I usually do that.
A setup.py/pyproject.toml can replace requirements. txt, but it is for creating packages and does way more than just installing dependencies, so they are not really competing.
For scripts which have just 1 or 2 packges as depencies it’s also usuall to just tell people to run pip install .
Isn’t it called a requirements.txt because it’s used to export your project requirements (dependencies), not all packages installed in your local pip environment?
what’s wrong with nuget? I have to say I like the “I want latest” “no, all your dependencies are pinned you want to update latest you gotta decide to do it” workflow. I can think of some bad problems when you try to do fancy things with it but the basic case of “I just want to fetch my program’s dependencies” it’s fine.
I’m guessing they only used it 10 years ago when it was very rough around the edges. It didn’t integrate well with the old .NET Framework because it conflicted with how web.config managed dependencies and poor integration with VS. It was quite bad back then… but so was .NET Framework in general. Then they rebuilt from the ground up with dotnet core and it’s been rock solid since
Or they just hate Microsoft, which is a common motif to shit on anything Microsoft does regardless of the actual product.
The project I’m on right now originally had the nuget.exe saved in source because they had to manually run it through build scripts, it wasn’t built in to VS until VS2012
I’ll second this. I would argue that .Net Core’s package/dependency management in general is way better than Python or JavaScript. Typically it just works and when it doesn’t it’s not too difficult to fix.
It’s also much faster to install packages than npm or pip since it uses a local package cache and each package generally only has a few DLL files inside.
Would that just create a list of the current packages/versions
Yes, and all downstream dependencies
without actually locking anything?
What do you mean? Nothing stops someone from manually installing an npm package that differs from package-lock.json - this behaves the same. If you pip install -r requirements.txt it installs the exact versions specified by the package maintainer, just like npm install the only difference is python requires you to specify the “lock file” instead of implicitly reading one from the CWD
As I understand, when you update npm packages, if a package/version is specified in package-lock.json, it will not get updated past that version. But running those pip commands you mentioned is only going to affect what version gets installed initially. From what I can tell, nothing about those commands is stopping pip from eventually updating a package past what you had specified in the requirements.txt that you installed from.
But running those pip commands you mentioned is only going to affect what version gets installed initially.
I don’t follow. If my package-lock.json specifies package X v1.1 nothing stops me from manually telling npm to install package X v1.2, it will just update my package.json and package-lock.json afterwards
If a requirements.txt specifies X==1.1, pip will install v1.1, not 1.2 or a newer version. If I THEN install package Y that depends on X>1.1, the pip install output will say 1.1 is not compatible and that it is being upgraded to 1.2 to satisfy package Y’s requirements. If package Y works fine on v1.1 and does not require the upgrade, it will leave package X at the version you had previously installed.
Lockfile contains exact state of the npm-managed code, making it reproducible exactly the same every time.
For example without lockfile in your package.json you can have version 5.2.x. In your working directory, you use 5.2.1, however on repo, 5.2.2 has appeared, matching your criteria. Now let’s say a new bug appeared in 5.2.2.
Now you have mismatched vendor code, that can make your code behave differently on your machine, and your coworker’s machine, making you hunt for bug that wasn’t even on your side.
Lockfile prevents that by saving an actual state of vendor code.
In my experience npm is not great but it does work most of the time. I just tried installing bunch of stuff using pip and NONE of them worked. Python is backwards compatibility hell. Python 2 vs 3, dependencies missing, important libraries being forked and not working anymore. If the official installation instructions are ‘pip install X’ and it doesn’t work then what’s the point?
npm has A LOT of issues but generally when I do ‘npm i’ i installs things and they work.
But the main point is that cargo is just amazing :)
Hmm, I personally haven’t seen that kind of issue myself though. I also tend to not use random packages from random authors though, so that might help.
The main issue with JS is that every 6 months someone comes up with the next great tool that misses half of basic features and dies after 6 months when someone comes up with the next great tool. But at least the old tested solution still works unlike in Python where the main goal seems to be breaking the backwards compatibility as often as possible.
pnpm is already very well established, it’s not completely different from npm either so they didn’t have to reinvent the wheel, they just made some things much better.
Python is is just a mess on the other hand, a thousand tools all with some overlap in what they’re trying to achieve because they didn’t have the balls to make pip an all-in-one solution, there are 2 great alternatives that do almost everything though: poetry and pdm. I read a spot on analysis on this article, maybe it can help you make a choice
But at least the old tested solution still works unlike in Python where the main goal seems to be breaking the backwards compatibility as often as possible.
lol what. Node does a new majorrelease every six months. And you’re shit talking python? There’s probably never going to be another major version change, and minor versions have several years of support
In like 10 years of python development I don’t think I’ve ever been mad about breaking changes in python.
That’s not a controversial opinion. I’d say it’s worse than pip. At least pip doesn’t put nag messages on the console or fill up your hard drive with half a gigabyte of small files. OP is confused.
About the only good thing about npm is that I can use one of the superior alternatives. Using npm is almost always a headache as soon as you start working with a decent number of packages.
Sorry but nah. My last job we had a couple different python microservices. There was pipenv, venv, virtualenv, poetry, Pipfile.lock, requirements.txt (which is only the top level???), just pure madness
Apparently all this shit is needed because python wants to install shit globally by default? Are you kidding?
Well, we also had a couple node microservices. Here’s how it went: npm install. Done.
Afraid you fucked something and want a clean environment? Here’s how you do it with node: delete node_modules/. Done.
Want a clean python env? Uhhhhhhhh use docker I guess? Maybe try reinstalling Python using homebrew? (real actual answers from the python devs who set these up)
Well what’s currently installed? ls node_modules, or use npm ls if you want to be fancy.
In python land? Uhhhhhh
Let’s update some dep–WHY AREN’T PYTHON PACKAGES USING SEMVER
So yeah, npm may do some stuff wrong, but it seems like it does way more shit right. Granted I didn’t really put in the effort to figure out all this python shit, but the people who did still didn’t have good answers. And npm is just straightforward and “works”.
“But JS projects pull in SOOOO many dependencies” Oh boohoo, you have a 1TB SSD anyway.
Apparently all this shit is needed because python wants to install shit globally by default?
None of that was needed. It was just used because nobody at your company enforced a single standard for developing your product.
Afraid you fucked something and want a clean environment? Here’s how you do it with node: delete node_modules/. Done.
rm -rf venv/. Done.
Want a clean python env? Uhhhhhhhh use docker I guess?
python -m venv venv
Well what’s currently installed? ls node_modules, or use npm ls if you want to be fancy.
In python land? Uhhhhhh
pip freeze. pip list if you want it formatted.
Let’s update some dep–WHY AREN’T PYTHON PACKAGES USING SEMVER
Janky, legacy python packages will have random versioning schemes. If a dependency you’re using doesn’t follow semver I would question why you’re using it and seek out an actively maintained alternative.
I really don’t see the hassle… just pick one (e.g. pip/venv) and learn it in like half a day. It took college student me literally a couple hours to figure out how I could distribute a package to my peers that included compiled C++ code using pypi. The hardest part was figuring out how to cross compile the C++ lib. If you think it’s that hard to understand I really don’t know what to tell you…
Sure, for a new project. But when inheriting code I’m not in a position to pick.
The point is that the state of python package managers is a hot fucking mess compared to npm. Claiming that “npm is just as bad” (or worse) honestly seems ridiculous to me.
(And isn’t pip/venv the one the requirements.txt one? Completely flat, no way to discern the difference between direct dependencies and sub-dependencies? No hashes? Sucks when it’s time for updating? Yeah no thanks, I’d like a proper lock file. Which is probably why there are a dozen other tools.)
the only time i’ve had issues with pip is when using it to install the xonsh shell, but that’s not really pip’s fault since that’s a very niche case and i wouldn’t expect any language’s package manager to handle installing something so fundamental anyways.
It’s all fun and games until the wheel variant you need for your hardware acceleration package conflicts with that esoteric math library you planned on using.
You are not logged in. However you can subscribe from another Fediverse account, for example Lemmy or Mastodon. To do this, paste the following into the search field of your instance: !programmerhumor@lemmy.ml
Post funny things about programming here! (Or just rant about your favourite programming language.)
Rules:
Posts must be relevant to programming, programmers, or computer science.
No NSFW content.
Jokes must be in good taste. No hate speech, bigotry, etc.
Pip has a good looking loading thingy though.
NuGet (for C# / .NET) is far better than npm.
And it has a cool name
XKCD Python https://xkcd.com/1987/
I avoid NPM after node-ipc Ukrainian malware incident.
i will get hated for this but: cargo > composer > pip > npm
NPM is ghastly though
What about CPAN?
You can’t even use it without the documentation of the program that you want to install because some dependencies have to be installed manually, and even then there’s a chance of the installation not working because a unit test would fail.
So noone mentioned how awesome vcpkg is yet?
Bruh idk why the difference… Educate me?
cargo just works, it’s great and everyone loves it.
npm has a lot of issues but in general does the job. When docs say do ‘npm install X’ you do it and it works.
pip is a mess. In my experience doing ‘pip install X’ will maybe install something but it will not work because some dependencies will be screwed up. Using it to distribute software is pointless.
I use pip extensively and have zero issues.
npm pulls in a million dependencies for even the simplest functionality.
Is that really the fault of the package manager or is it of the libraries you decide to use?
Really the fault of js since its standard library is so lacking (leftpad, anyone?), but js wasn’t built to do half the stuff it’s being asked to do, anyway.
Fault of the libraries you decide to use, i.e. any and all node libraries
It probably works for your own local project. After using it for couple of days to install some 3rd party tool my conclusion is that it has no idea about dependencies. It just downloads some dependencies in some random versions and than it never works. Completely useless.
This is clearly a layer 8 issue lmao.
Pip stores everything inside of some random txt file that doesn’t differentiate between packages and dependencies.
Pip stores nothing in a text file
If you want to export your local environment, isn’t usually a requirements.txt used?
Yes, but this file is created by you and not pip. It’s not like package.json from npm. You don’t even need to create this file.
Well if the file would be created by hand, that’s very cumbersome.
But what is sometimes done to create it automatically is using
pip freeze > requirements. txt
inside your virtual environment.
You said I don’t need to create this file? How else will I distribute my environment so that it can be easily used? There are a lot of other standard, like setup.py etc, so it’s only one possibility. But the fact that there are multiple competing standard shows that how pip handles this is kinds bad.
If you try to keep your depencies low, it’s not very cumbersome. I usually do that.
A setup.py/pyproject.toml can replace requirements. txt, but it is for creating packages and does way more than just installing dependencies, so they are not really competing.
For scripts which have just 1 or 2 packges as depencies it’s also usuall to just tell people to run pip install .
Isn’t it called a requirements.txt because it’s used to export your project requirements (dependencies), not all packages installed in your local pip environment?
I don’t know what cargo is, but npm is the second worst package manager I’ve ever used after nuget.
what’s wrong with nuget? I have to say I like the “I want latest” “no, all your dependencies are pinned you want to update latest you gotta decide to do it” workflow. I can think of some bad problems when you try to do fancy things with it but the basic case of “I just want to fetch my program’s dependencies” it’s fine.
I’m guessing they only used it 10 years ago when it was very rough around the edges. It didn’t integrate well with the old .NET Framework because it conflicted with how web.config managed dependencies and poor integration with VS. It was quite bad back then… but so was .NET Framework in general. Then they rebuilt from the ground up with dotnet core and it’s been rock solid since
Or they just hate Microsoft, which is a common motif to shit on anything Microsoft does regardless of the actual product.
Imho the VS integration has always been good, it’s the web config that’s always been a trash fire, and that’s not new.
The project I’m on right now originally had the nuget.exe saved in source because they had to manually run it through build scripts, it wasn’t built in to VS until VS2012
cargo is rust
I’ve never had an issue with nuget, at least since dotnet core. My experience has it far ahead of npm and pip
I’ll second this. I would argue that .Net Core’s package/dependency management in general is way better than Python or JavaScript. Typically it just works and when it doesn’t it’s not too difficult to fix.
It’s also much faster to install packages than npm or pip since it uses a local package cache and each package generally only has a few DLL files inside.
cargo is the package manager for the Rust language
So you are saying that npm is better than pip?? I’m not saying pip is good, but npm?
I would say npm is shitty like a lot of tools are. pip takes it to the next level.
Yeah? I don’t recall having to wait a long time when setting up my project using pip.
npm has a lockfile which makes it infinitely better.
Pip has Pipfile.lock.
pip also has lock files
pip freeze > requirements.txtWould that just create a list of the current packages/versions without actually locking anything?
Yes, and all downstream dependencies
What do you mean? Nothing stops someone from manually installing an npm package that differs from package-lock.json - this behaves the same. If you
pip install -r requirements.txtit installs the exact versions specified by the package maintainer, just likenpm installthe only difference is python requires you to specify the “lock file” instead of implicitly reading one from the CWDAs I understand, when you update npm packages, if a package/version is specified in
package-lock.json, it will not get updated past that version. But running those pip commands you mentioned is only going to affect what version gets installed initially. From what I can tell, nothing about those commands is stopping pip from eventually updating a package past what you had specified in therequirements.txtthat you installed from.I don’t follow. If my package-lock.json specifies package X v1.1 nothing stops me from manually telling npm to install package X v1.2, it will just update my package.json and package-lock.json afterwards
If a requirements.txt specifies X==1.1, pip will install v1.1, not 1.2 or a newer version. If I THEN install package Y that depends on X>1.1, the pip install output will say 1.1 is not compatible and that it is being upgraded to 1.2 to satisfy package Y’s requirements. If package Y works fine on v1.1 and does not require the upgrade, it will leave package X at the version you had previously installed.
That’s not a lockfile. This would be the equivalent of package.json
How is it not a lock file?
package.json doesn’t contain the exact version number of all downstream dependencies, this does
More context: https://www.langton.cloud/python-pip-requirements-txt-lock-file/
Lockfile contains exact state of the npm-managed code, making it reproducible exactly the same every time.
For example without lockfile in your package.json you can have version 5.2.x. In your working directory, you use 5.2.1, however on repo, 5.2.2 has appeared, matching your criteria. Now let’s say a new bug appeared in 5.2.2.
Now you have mismatched vendor code, that can make your code behave differently on your machine, and your coworker’s machine, making you hunt for bug that wasn’t even on your side.
Lockfile prevents that by saving an actual state of vendor code.
Yes, which is EXACTLY like a
pip freeze’d requirements.txt, storing the exact version of every package and downstream dependency you have installedBottom should be Composer.
npm is just plain up terrible. never worked for me first try without doing weird stuff
In my experience npm is not great but it does work most of the time. I just tried installing bunch of stuff using pip and NONE of them worked. Python is backwards compatibility hell. Python 2 vs 3, dependencies missing, important libraries being forked and not working anymore. If the official installation instructions are ‘pip install X’ and it doesn’t work then what’s the point?
npm has A LOT of issues but generally when I do ‘npm i’ i installs things and they work.
But the main point is that cargo is just amazing :)
P.S. Never used ruby.
Hmm, I personally haven’t seen that kind of issue myself though. I also tend to not use random packages from random authors though, so that might help.
deleted by creator
The main issue with JS is that every 6 months someone comes up with the next great tool that misses half of basic features and dies after 6 months when someone comes up with the next great tool. But at least the old tested solution still works unlike in Python where the main goal seems to be breaking the backwards compatibility as often as possible.
pnpm is already very well established, it’s not completely different from npm either so they didn’t have to reinvent the wheel, they just made some things much better.
Python is is just a mess on the other hand, a thousand tools all with some overlap in what they’re trying to achieve because they didn’t have the balls to make pip an all-in-one solution, there are 2 great alternatives that do almost everything though: poetry and pdm. I read a spot on analysis on this article, maybe it can help you make a choice
This is great, thanks. Will definitely read even though I don’t do much work in python. It’s good to know how NOT to do things.
lol what. Node does a new major release every six months. And you’re shit talking python? There’s probably never going to be another major version change, and minor versions have several years of support
In like 10 years of python development I don’t think I’ve ever been mad about breaking changes in python.
I’m still rocking the fuck out of PHP (8) 😘
That’s not a controversial opinion. I’d say it’s worse than pip. At least pip doesn’t put nag messages on the console or fill up your hard drive with half a gigabyte of small files. OP is confused.
npm is so good there are at least 3 alternatives and every package instructs on using a different one.
About the only good thing about npm is that I can use one of the superior alternatives. Using npm is almost always a headache as soon as you start working with a decent number of packages.
Sorry but nah. My last job we had a couple different python microservices. There was pipenv, venv, virtualenv, poetry, Pipfile.lock, requirements.txt (which is only the top level???), just pure madness
Apparently all this shit is needed because python wants to install shit globally by default? Are you kidding?
Well, we also had a couple node microservices. Here’s how it went: npm install. Done.
Afraid you fucked something and want a clean environment? Here’s how you do it with node: delete
node_modules/. Done.Want a clean python env? Uhhhhhhhh use docker I guess? Maybe try reinstalling Python using homebrew? (real actual answers from the python devs who set these up)
Well what’s currently installed?
ls node_modules, or usenpm lsif you want to be fancy.In python land? Uhhhhhh
Let’s update some dep–WHY AREN’T PYTHON PACKAGES USING SEMVER
So yeah, npm may do some stuff wrong, but it seems like it does way more shit right. Granted I didn’t really put in the effort to figure out all this python shit, but the people who did still didn’t have good answers. And npm is just straightforward and “works”.
“But JS projects pull in SOOOO many dependencies” Oh boohoo, you have a 1TB SSD anyway.
None of that was needed. It was just used because nobody at your company enforced a single standard for developing your product.
rm -rf venv/. Done.
python -m venv venv
pip freeze. pip list if you want it formatted.
Janky, legacy python packages will have random versioning schemes. If a dependency you’re using doesn’t follow semver I would question why you’re using it and seek out an actively maintained alternative.
Im honestly surprised someone using Python professionally appears to not know anything about how pip/venv work.
The points you think you are making here are just very clearly showing that you need to rtfm…
More like rtfms. I really didn’t feel like learning 20 different tools for repos my team didn’t touch very often.
I really don’t see the hassle… just pick one (e.g. pip/venv) and learn it in like half a day. It took college student me literally a couple hours to figure out how I could distribute a package to my peers that included compiled C++ code using pypi. The hardest part was figuring out how to cross compile the C++ lib. If you think it’s that hard to understand I really don’t know what to tell you…
Sure, for a new project. But when inheriting code I’m not in a position to pick.
The point is that the state of python package managers is a hot fucking mess compared to npm. Claiming that “npm is just as bad” (or worse) honestly seems ridiculous to me.
(And isn’t pip/venv the one the
requirements.txtone? Completely flat, no way to discern the difference between direct dependencies and sub-dependencies? No hashes? Sucks when it’s time for updating? Yeah no thanks, I’d like a proper lock file. Which is probably why there are a dozen other tools.)the only time i’ve had issues with pip is when using it to install the xonsh shell, but that’s not really pip’s fault since that’s a very niche case and i wouldn’t expect any language’s package manager to handle installing something so fundamental anyways.
It’s all fun and games until the wheel variant you need for your hardware acceleration package conflicts with that esoteric math library you planned on using.
Isn’t this why you use venv?
This isn’t a pip issue though. Either these packages work together and the packaging is wrong, or they don’t work together.