| ▲ | zaptheimpaler 4 days ago | |||||||
Dependency management is a deep problem with a 100 different concerns, and every time someone says "oh here it's easy, you don't need that complexity" it turns out to only apply to a tiny subset of dependency management that they thought about. Maven/Java does absolutely insane things, it will just compile and run programs with incompatible version dependencies and then they crash at some point, and pick some arbitrary first version of a dependency it sees. Then you start shading JARs and writing regex rules to change import paths in dependencies and your program crashes with a mysterious error with 1 google result and you spend 8 hours figuring out WTF happened and doing weird surgery on your dependencies dependencies in an XML file with terrible plugins. This proposed solution is "let's just never use version ranges and hard-code dependency versions". Now a package 5 layers deep is unmaintained and is on an ancient dependency version, other stuff needs a newer version. Now what? Manually dig through dependencies and update versions? It doesn't even understand lockfiles fully. They don't make your build non-reproducible, they give you both reproducible builds (by not updating the lockfile) and an easy way to update dependencies if and when you want to. They were made for the express purpose of making your build reproducible. I wish there was a mega article explaining all the concerns, tradeoffs and approaches to dependency management - there are a lot of them. | ||||||||
| ▲ | adrianmsmith 4 days ago | parent | next [-] | |||||||
1) "it will just compile and run programs with incompatible version dependencies and then they crash at some point" 2) "Now a package 5 layers deep is unmaintained and is on an ancient dependency version, other stuff needs a newer version. Now what? Manually dig through dependencies and update versions?" You can't solve both of these simultaneously. If you want a library's dependences to be updated to versions other than the original library author wanted to use (e.g. because that library is unmaintained) then you're going to get those incompatibilities and crashes. I think it's reasonable to be able to override dependencies (e.g. if something is unmaintained) but you have to accept there are going to be surprises and be prepared to solve them, which might be a bit painful, but necessary. | ||||||||
| ||||||||
| ▲ | yawaramin 4 days ago | parent | prev | next [-] | |||||||
> compile and run programs with incompatible version dependencies and then they crash at some point Just because Java does this doesn't mean every language has to. It's not strongly tied to the dependency management system used. You could have this even with a Java project using lockfiles. > a package 5 layers deep is unmaintained and is on an ancient dependency version, other stuff needs a newer version. Now what? Manually dig through dependencies and update versions? Alternatively, just specify the required version in the top-level project's dependency set, as suggested in the article. | ||||||||
| ▲ | spdionis 3 days ago | parent | prev [-] | |||||||
Funnily enough PHP solved this perfectly with composer, but unfortunately it's not an enterprise-level programming language /s | ||||||||