It might be invoked on every build (if you’re online, not if you’re offline), but I think that’s more coincidental than something I’d categorize as managing dependencies. For me managing dependencies is more about adding, removing, and upgrading and not the act of downloading files. I’d say that’s more of a subset of the actions taken during the process.
A bad good example
When I was at Vendr we had:
- about 600K lines of Elm
- about 1.2M lines of TS
- roughly 30-40 total dependencies in our elm.json, and an additional 1-2 vendored dependencies
- I don’t even know how to count how many TS dependencies, likely hundreds
Super-centralisation
Centralization makes it easy to find common projects. GitHub might not be one’s choice today, but there’s a lot more that goes into this than “M$ bad” (and yes I agree on the disliking M$ approach to tech/github).
But we can just add the dependency using a link to the repo, right?
Yep! We can do that easily with git subtree (a resource I’ve used for learning this Git Subtree: Alternative to Git Submodule | Atlassian Git Tutorial), an option that’s been around for over a decade now and works very well.
risk of the Elm registry “disappearing”
This is definitely a risk, bot not really any more so than with any other centralization. I’ve had builds fail in a variety of other languages (Go, JS) due to their centralized repos going down. And unlike say npm, Elm defaults to caching dependencies meaning you can almost always rely on that cache being present and are only hitting the centralization issue when you blow away your cache.
No integrity check Not good enough integrity checks for a small subset of possible use cases
Easily and quickly solved with vendoring. If your project needs absolutely certainty that things aren’t changing out from underneath you, you should be vendoring.
Use SemVer!
Elm does and better than most others!
no development packages
I suppose this is mildly annoying, but in practice it doesn’t really matter. I’m not speculating here, this has been my experience both in Elm and non-Elm languages. Some companies are strict about versioning, but I find it’s more of a formality and adherence to process for process sake than actually looking at the content of the versioning. There are exceptions, but I’m talking about the majority of practice.
No maintenance tools
Not sure what this section is about. There are maintenance tools like elm-json.
the only way to update the description is releasing a new version.
I’m not sure I’ve seen a package in other projects update the description of an old release. Maybe that’s a thing? Usually when you’re dealing with important security issues there’s a place to get information. In practice Elm projects don’tt have that many dependencies so it’s easy to follow them, if that’s what you want to do.
A real world example of this that I’ve implemented is depending on timezone-data 11.1.0. You don’t want your TZ data to be behind (I’ve experienced this), so I added a tiny step to our CI to automatically pull down the latest version and add it as a dependency. In ~4 years at Vendr, this script was used about 10 times. I think you could spend another 2-3 paragraphs on the benefits & safety of this, but succinctly it was an easy and huge benefit.
No separated namespaces
This can definitely suck, and elm-units-prefixed 2.8.0 is a terrific example! I think I’ve also encountered this once in the past 7 years of writing Elm.
No Licensing information
There’s at least 2 tools for this that have been around since at least 2019
I built mine after having to deal with this issue with JS for work back in like 2017 / '18. It was far easier to trust a tool to give a quick and useful report than to hope a developer read a website/file.
Alternatives
simply imports a git repo
This is essentially vendoring, and I’m a huge fan of it. I vendor in Elm, in Odin, and JS. I recommend it to anyone that’ll listen.
add a checksum
Seems reasonable I suppose
Allow for custom registries
Nice to have I guess, but definitely not make or break. It’s also been proven in Elm, JS, and other languages that the community can do this when they want to.
Package maintenance through a file
mistakes can quickly be remedied
I’m not sure this has to do with dependencies. Feels like more about the language itself. E.g. if a vulnerability is found and you work at “place that only allows vetted dependencies” then you still have to go through the whole process of vetting the dependency changes.
Import-Aliases
My guess is this would be a whole language change and not just a dependency management issue, but I could be wrong.
Attestation
IMO this gets weird quickly. Specifically thinking about things like
I wouldn’t want a review by user1968431 to have the same weight as one by Google.
and incidents like left-pad where a “reliable” person took down a huge repository. There are other examples too, but that’s a common enough one that I expect most to have heard of it.
How to store artifacts/sources
Is there a problem with how Elm stores source today? Is ELM_HOME bad in some way? From what I can tell you like the Elm approach and maybe aren’t aware of it but it’s hard to say.
