324

Package managers be like (linux.community)

submitted 11 months ago by ExLisper@linux.community to c/programmerhumor@lemmy.ml

161 comments fedilink hide all child comments

Sorry Python but it is what it is.

you are viewing a single comment's thread
view the rest of the comments

[-] pastermil@sh.itjust.works 73 points 11 months ago

So you are saying that npm is better than pip?? I'm not saying pip is good, but npm?

[-] soeren@iusearchlinux.fyi 36 points 11 months ago

npm has a lockfile which makes it infinitely better.

[-] bjorney@lemmy.ca 21 points 11 months ago

pip also has lock files

pip freeze > requirements.txt

[-] SatyrSack@lemmy.one 7 points 11 months ago

Would that just create a list of the current packages/versions without actually locking anything?

[-] bjorney@lemmy.ca 8 points 11 months ago* (last edited 11 months ago)

Would that just create a list of the current packages/versions

Yes, and all downstream dependencies

without actually locking anything?

What do you mean? Nothing stops someone from manually installing an npm package that differs from package-lock.json - this behaves the same. If you pip install -r requirements.txt it installs the exact versions specified by the package maintainer, just like npm install the only difference is python requires you to specify the "lock file" instead of implicitly reading one from the CWD

[-] SatyrSack@lemmy.one 3 points 11 months ago* (last edited 11 months ago)

As I understand, when you update npm packages, if a package/version is specified in package-lock.json, it will not get updated past that version. But running those pip commands you mentioned is only going to affect what version gets installed initially. From what I can tell, nothing about those commands is stopping pip from eventually updating a package past what you had specified in the requirements.txt that you installed from.

[-] rgalex@lemmy.world 3 points 11 months ago

The behaviour you mention is from npm install, which will put the same exact version from the package-lock.json, if present. If not it will act as an npm update.

npm update will always update, and rewrite the package-lock.json file with the latest version available that complies with the restrictions defined on the package.json.

I may be wrong but, I think the difference may be that python only has the behaviour that package-lock.json offer, but not the package.json, which allows the developer to put constraints on which is the max/min version allowed to install.

[-] fushuan@lemm.ee 2 points 11 months ago

If you want min-max behaviours you need to use wrappers like pipenv or jump into conda/mamba. Pip offers basic functionality because there are more advanced tools that the community uses for the more advanced use cases.

[-] bjorney@lemmy.ca 2 points 11 months ago

But running those pip commands you mentioned is only going to affect what version gets installed initially.

I don't follow. If my package-lock.json specifies package X v1.1 nothing stops me from manually telling npm to install package X v1.2, it will just update my package.json and package-lock.json afterwards

If a requirements.txt specifies X==1.1, pip will install v1.1, not 1.2 or a newer version. If I THEN install package Y that depends on X>1.1, the pip install output will say 1.1 is not compatible and that it is being upgraded to 1.2 to satisfy package Y's requirements. If package Y works fine on v1.1 and does not require the upgrade, it will leave package X at the version you had previously installed.

[-] soeren@iusearchlinux.fyi 0 points 11 months ago

That's not a lockfile. This would be the equivalent of package.json

[-] bjorney@lemmy.ca -2 points 11 months ago

How is it not a lock file?

package.json doesn't contain the exact version number of all downstream dependencies, this does

[-] NBJack@reddthat.com 2 points 11 months ago

More context: https://www.langton.cloud/python-pip-requirements-txt-lock-file/

[-] gornius@lemmy.world 0 points 11 months ago

Lockfile contains exact state of the npm-managed code, making it reproducible exactly the same every time.

For example without lockfile in your package.json you can have version 5.2.x. In your working directory, you use 5.2.1, however on repo, 5.2.2 has appeared, matching your criteria. Now let's say a new bug appeared in 5.2.2.

Now you have mismatched vendor code, that can make your code behave differently on your machine, and your coworker's machine, making you hunt for bug that wasn't even on your side.

Lockfile prevents that by saving an actual state of vendor code.

[-] bjorney@lemmy.ca 1 points 11 months ago

Yes, which is EXACTLY like a pip freeze'd requirements.txt, storing the exact version of every package and downstream dependency you have installed

[-] tias@discuss.tchncs.de -2 points 11 months ago

Pip has Pipfile.lock.

[-] 48954246@lemmy.world 15 points 11 months ago

That's pipenv. Pip just has the capability to read and write from a requirements.txt, which is a step that must be taken manually

[-] tias@discuss.tchncs.de 2 points 11 months ago

Oh right, sorry.

[-] ExLisper@linux.community 3 points 11 months ago

I would say npm is shitty like a lot of tools are. pip takes it to the next level.

[-] pastermil@sh.itjust.works 2 points 11 months ago

Yeah? I don't recall having to wait a long time when setting up my project using pip.

this post was submitted on 13 Oct 2023

324 points (81.4% liked)

Programmer Humor

32041 readers

2163 users here now

Post funny things about programming here! (Or just rant about your favourite programming language.)

Rules:

Posts must be relevant to programming, programmers, or computer science.
No NSFW content.
Jokes must be in good taste. No hate speech, bigotry, etc.

founded 5 years ago

MODERATORS

AgreeableLandscape@lemmy.ml

cat_programmer@lemmy.ml