A critique of package managers

Original Article ↗ Hacker News Discussion ↗

Manual vs automated dependency management

  • A core split is whether automating dependency handling is inherently harmful or just misused.
  • Supporters of the article argue package managers “automate dependency hell”: they hide complexity, encourage thoughtless adding of libraries, and make it easier to accumulate huge, poorly understood trees of transitive deps. Manual vendoring and pinning are seen as forcing developers to confront costs and alternatives.
  • Critics respond that all the hard problems (version conflicts, API breaks, security, licenses) remain whether or not you use a package manager; manual workflows just add toil and fragile ad‑hoc scripts. They’d rather spend the saved effort on auditing.

Ecosystem constraints and scale

  • Several commenters note that in web/SPAs and large multi-team systems, vast dependency graphs are driven by ecosystem norms and business needs. Removing npm (or similar) in one project doesn’t change that.
  • Others counter that increased friction does in fact reduce dependency count, and that many tasks are reasonably re‑implementable, especially when libraries are overgeneral or hard to integrate.
  • From embedded, safety‑critical, and large enterprise contexts: manual vendoring is called unrealistic when shipping libraries, not just executables; integrators must compose many components and versions, and need systematic tooling.

Security, quality, and registries

  • Many agree each dependency is a liability: bugs, license change, compromise, abandonment. Package managers don’t fix this, but they do centralize updates and can integrate scanners and vulnerability databases.
  • Some argue the real problem is registry governance, not package managers per se: contrast npm’s “wild west” with more curated ecosystems (Debian/apt, NuGet, Maven).
  • Proposals include: third‑party auditing services wired into package managers, stronger vetting (Rust’s cargo‑vet/crev, provenance tools), and more curated “premium” registries.

Standard libraries vs ecosystem design

  • A recurring theme: languages with rich, coherent standard libraries (Go, some OS distros) reduce dependency pressure, whereas thin stdlibs (Rust, JS) push everything into external crates/packages, increasing sprawl.
  • Others point out there’s no universal set of “batteries”; what’s standard for web or systems programming is irrelevant for robotics or scientific computing.

Reactions to the article’s rhetoric

  • The “package managers are evil” framing is seen by some as hyperbolic or clickbait; they argue it fails to acknowledge any real benefits (reproducibility, ease of sharing, time saved).
  • Defenders say the hyperbole is intentional: the claim is that automating this particular kind of “hell” is net‑negative for the ecosystem, and that there are only tradeoffs, not solutions.