The dark side of package managers

Emad Elsaid
4 min readJan 22, 2016

Back in the old days, in a galaxy far far away, we used to integrate third party libraries manually, we had to read this read me file or even dig our way through the code to get this pile of code integrated into our own application, it was painful and full of cry method, and there was blood in the process, sometimes it even didn’t work, if you remember the first time you wanted to integrate openGL into your Microsoft Visual Studio project and how painful this was, oh god I really don’t want to remember.

And then a hero came, or shall I say a third dimension to a whole world full of heroes, package managers, third parties define their code meta, an installation process script and package the whole thing and put it in some package index website, then the whole world pull it over with one command and voilà, it’s there and it works, pain free process, more users for the library and more code in your app that you didn’t have to write it yourself, but you know what? that anonymous genius that said “no pain no gain” was terribly right, there was a dark side for this package managers hallucination heavens.

The problems of this process are too obvious for the naked eye, and it has two way, each of them is abused by the community to the extreme, the first way is the package providers, the ease of building a new package with no review, not filter mechanism, led to some of the most polluted package indices of all time, you can have npm and ruby gems as an example, it’s not that rare that you stumble upon a package that has nothing in it, a complete emptiness just there waiting for a fool to download it for a reason no body knows, the problem with this is that good code gets mixed up with shitty code and the community gets driven by a fake number of downloads, you find a package that has a high number of download so you trust the hell out of it and include it in your project and then you discover that it is not up to your expectations and definitely not up to the downloads number, this affects the industry as a whole, because you discover the issue after building over the package and you are too deep in the shit that in a lot of cases can’t get a way from it.

The other side is the consumer, people are getting lazy, really really reaaaaallly lazy, if you are using a language with a package manager like node.js you’ll find it easier for you to grab a package that implements a single damned method other than implementing it yourself, the problem with that? well, lets see, it’s the damned maintainability, one of the huge software principles that people doesn’t care about it anymore, if you included a third party library in your code you should be able to have it maintained, so if you discovered a bug in this single library -when you do that after walking around your application having all kind of question mark over your head to end with the conclusion that it is the damned single method library- you’ll have to ask the developer to fix the bug, right? soooo how much time do you think an open source developer volunteered to publish his single-method-package to the public to fix it?, even when he fixes it, it’ll be too late for you, he’ll not save you when your production server goes down because of that bug, you had to write the thing by yourself in the first place.

And it’s a pattern, you can find a package that is wrapping another package feature to “make things easier” and developers gets lazy and uses it then they hit the wall and they’ll have to learn how to dig deeper to use the original library, or a developer that needs a single feature of a goliath framework instead of implementing it by himself he includes the whole monster and adds couple mega bytes to his project.

We’ll it’s getting crazy by time and I don’t want to wake up one day to find that no developer can write an http server with his bare hands and a language standard library, or can’t talk to a database over a port instead of using the fancy ORM to do it for him, of course you can use packages, but to some extent you have to say “no I have to write this myself, i’m a developer not a code collecting machine”.

--

--