Not supposed to be a judgemental question. Not every repo has to be a labor of love for sure. But how do you get to that place where there are 120 unused dependencies? I'm sure there are many different pathways where things get a bit out of control. People doing the equivalent of pip freeze? Or (too) many cooks?
rtpg•59m ago
I have witnessed a lot of kinda spurious pinning going on. Or like "ok we need to fix the bounds for this transitive dependency for a bit" and then it just sticks around.
Over a decade that's once a month, which is a lot though!
I think sometimes people will hear advice like "pin your deps" and do a `pip freeze | requirements.lock.txt`, without really absorbing that pinning transitive dependencies like this is generally not what you want.
You want a lock file! But you tend to want transitive dependencies that aren't locked down to get upgraded when you upgrade your direct dependencies. But it's a subtlety that can get lost in the noise.
zdragnar•23m ago
1- I want my dependencies to define a range for the libraries that they work with, so we don't have 20 different versions of some common library because our dependencies are hyper specific
2- I want every install of my project- be it on a dev machine or deploy machine- to have the exact same versions of dependencies, including transitive ones. I don't want to deal with bugs caused by surprise version changes
3- if I upgrade a dependency or remove it, I want the transitive dependencies managed automatically. I don't want orphaned transitive dependencies. In fact, I don't even want to think about them at all other than know that they work and aren't adding bloat or security risks.
You need a package manager with more than a passing thought for handling lock files. For the longest time, npm wasn't it. I'd argue that it still isn't, because "npm install" should NOT be the command used for both "set up a project for the first time" and "add a new package". In the first case, I want a reproducible, deterministic result of a known state. In the second case, I want to modify the dependency graph, producing a new state.
ziml77•21m ago
I assure you that hearing "pin you dependencies" is not why people create a requirements file using pip freeze. It's simply because that has long been how people have said to generate a requirements file, because Python spent much of its life lacking proper project dependency management.
And now it's extremely hard to get people to stop. There's so much info out there on the internet that says to use pip freeze that people are going to continue to run into and continue to learn to use.
ipaddr•56m ago
The ecosystem is setup to encourage this type of pollution.
twodave•46m ago
In my experience it’s usually engineers who run install commands until it builds locally, then check in whatever they’ve got.
wging•24m ago
It sounds like they are counting transitive dependencies. If so, that means they deleted far fewer than 120 different lines in their own config to end up with that level of reduction.
juujian•1h ago
rtpg•59m ago
Over a decade that's once a month, which is a lot though!
I think sometimes people will hear advice like "pin your deps" and do a `pip freeze | requirements.lock.txt`, without really absorbing that pinning transitive dependencies like this is generally not what you want.
You want a lock file! But you tend to want transitive dependencies that aren't locked down to get upgraded when you upgrade your direct dependencies. But it's a subtlety that can get lost in the noise.
zdragnar•23m ago
2- I want every install of my project- be it on a dev machine or deploy machine- to have the exact same versions of dependencies, including transitive ones. I don't want to deal with bugs caused by surprise version changes
3- if I upgrade a dependency or remove it, I want the transitive dependencies managed automatically. I don't want orphaned transitive dependencies. In fact, I don't even want to think about them at all other than know that they work and aren't adding bloat or security risks.
You need a package manager with more than a passing thought for handling lock files. For the longest time, npm wasn't it. I'd argue that it still isn't, because "npm install" should NOT be the command used for both "set up a project for the first time" and "add a new package". In the first case, I want a reproducible, deterministic result of a known state. In the second case, I want to modify the dependency graph, producing a new state.
ziml77•21m ago
And now it's extremely hard to get people to stop. There's so much info out there on the internet that says to use pip freeze that people are going to continue to run into and continue to learn to use.
ipaddr•56m ago
twodave•46m ago
wging•24m ago