so why isn't the host for the dependency specified in the package.json instead?
I think NPM is poorly designed. These lessons have all been learnt in the past by the maven ecosystem, and yet, it is repeated again in the javascript npm ecosystem.
Maven sidesteps the issue by not even having lockfiles and leaving everyone who checks out a repo free to have different versions of subdependencies, so I'm not sure it's a very stellar example.
only if you use snapshot dependencies (or your dependencies use that).
Maven pins down the version for you if you followed the "best pactise", or you can override sub-dependencies' versions if you should so choose (via dependencyManagement), and also lets you control the actual repo to download from as well. And as a bonus, you get to share the binary across different projects if they are on the same machine.
> What's poorly designed about each dependency recursively installing its own dependencies even if some of them are shared?
Something npm doesn’t do, so not a great example. Simple apps having dependencies with lots of files is also a package ecosystem thing, not a package manager thing.
> Are you telling me the package manager that installs tens of thousands of files for a simple app is poorly designed?
I blame the tiny JS stdlib and the resulting culture for this, rather than the package manager.
It's true that the package manager enabled that culture to flourish, but a package manager would have come about either way. And if npm had somehow disallowed massive dependency chains and 14 line packages, a competitor would have filled the gap and been adopted as a result.
In my recollection that culture predated package managers for Node. When npm came around people on the official node IRC channel were already advocating tiny, single function modules. Those tiny packages on npm, albeit being weird, felt like a pretty organic culture thing. Not sure where that came from, I think it might have already been a thing for a subset of that community coming from other tech stacks at the time.
While the node stdlib isn't all-bolts-included, I wouldn't exactly call it tiny either. What are you missing? I kind of blame the community for moments of stupidity like that leftpad thing just to pick one, if somebody had added some great extensions to the string class before that happened it would have been some other tiny issue.
I don't know the js world well at all, but it seems to me it's got to be the culture much more than the standard library.
Look at C. Libc is tiny and relatively useless compared to most languages. Things are rarely ever added relative to decades ago. But there are many high quality self contained projects with very thin dependencies. Example: sqlite depends on libc and a few syscalls. It's an extremely solid piece of work despite those constraints. What's your excuse?
