DEV Community πŸ‘©β€πŸ’»πŸ‘¨β€πŸ’»

DEV Community πŸ‘©β€πŸ’»πŸ‘¨β€πŸ’» is a community of 964,423 amazing developers

We're a place where coders share, stay up-to-date and grow their careers.

Create account Log in
Erick Sosa Garcia
Erick Sosa Garcia

Posted on • Updated on

Do we really need a package manager for deno?

When I heard about deno in 2019 I thought, why another runtime for javascript?

it has some problems in its internal architecture as ryan explains in this lecture.

A very common question about deno is where is the package manager? ryan in his lecture explains nodejs problems with npm and that trying to fix it is no longer feasible, so deno is intended to solve these problems without needing to use a package manager but changing the paradigm for some developers is not negotiable.

using urls to handle packages is used by other programming languages ​​like go, the hard part is having to handle URLs in say 30 files. one solution is to have a file where all the modules are imported like this.

// deps.ts

export { equal } from "https://deno.land/std@0.58.0/bytes/mod.ts";
export { Sha1 } from "https://deno.land/std@0.58.0/hash/sha1.ts";
export { HmacSha256 } from "https://deno.land/std@0.58.0/hash/sha256.ts";
export {
  serve,
  serveTLS,
} from "https://deno.land/std@0.58.0/http/server.ts";
export {
  Status,
  STATUS_TEXT,
} from "https://deno.land/std@0.58.0/http/http_status.ts";
export { BufReader, BufWriter } from "https://deno.land/std@0.58.0/io/bufio.ts";
export { copyBytes } from "https://deno.land/std@0.58.0/io/util.ts";
export {
  basename,
  extname,
  join,
  isAbsolute,
  normalize,
  parse,
  resolve,
  sep,
} from "https://deno.land/std@0.58.0/path/mod.ts";
export { assert } from "https://deno.land/std@0.58.0/testing/asserts.ts";
export {
  acceptable,
  acceptWebSocket,
  WebSocket,
} from "https://deno.land/std@0.58.0/ws/mod.ts";

// 3rd party dependencies

export {
  contentType,
  extension,
  lookup,
} from "https://deno.land/x/media_types@v2.3.7/mod.ts";
export {
  compile,
  Key,
  parse as pathParse,
  ParseOptions,
  pathToRegexp,
  TokensToRegexpOptions,
} from "https://raw.githubusercontent.com/pillarjs/path-to-regexp/v6.1.0/src/index.ts";
Enter fullscreen mode Exit fullscreen mode

another way is using import map a proposal for the web that deno already implements but for now is an unstable feature.

// import_map.json
{
   "imports": {
      "fmt/": "https://deno.land/std@0.55.0/fmt/"
   }
}
Enter fullscreen mode Exit fullscreen mode

this allows importing in a much more traditional way

import { red } from "fmt/colors.ts";

console.log(red("hello world"));
Enter fullscreen mode Exit fullscreen mode

but we can have a way to handle modules like with npm but without dragging the problems that npm has. Trex is a project that I am developing that tries to implement the best of both sides, It combines the way to install modules using a cli but without the node_modules folder since everything is cached, the ability to install tools like velociraptor and denon in a very simple way.

Trex just creates an import_map.json file where all the dependencies are listed.

npm in node js:

$ npm install lowdash
Enter fullscreen mode Exit fullscreen mode

Trex in deno:

$ trex install --map oak
Enter fullscreen mode Exit fullscreen mode

all modules are extracted from the deno website, so any modules that are in the standard library and in deno.land/x can be installed with Trex.

You can also install a custom module from anywhere using:

$ trex --custom React=https://unpkg.com/react-dom@16/umd/react-dom.development.js
Enter fullscreen mode Exit fullscreen mode

likewise it is added to the import map and the cache.

Top comments (6)

Collapse
 
caioquirino profile image
Caio Quirino da Silva • Edited on

Maybe not really a package manager, but I think that its nice to have a single place to specify the repository path/mapping and the version. Like we have in the mappings, but if we use it for everything then it's a package manager :)

I am thinking more in a case that you need to bump a minor version because of a security problem, and the list of changes... And what happens when you mix different versions through the files by mistake :)

Collapse
 
buttercubz profile image
Erick Sosa Garcia Author

I think we don't need a package manager for deno but one with which to manage dependencies.

Collapse
 
emveeoh profile image
Michael van Olden • Edited on

Deno, itself, doesn't need a package manager, but the JavaScript community benefits greatly by having a community-driven effort to curate and do security audits on packages. Also, it is ideal to only have links to a few known domains for routing/firewall whitelisting, rather than many independent repositories.

In the future, it is possible that package validation services from GitHub and GitLab could be a replacement for NPM/Yarn. Personally, I feel that NPM/Yarn are so integral to the Node JS experience that Deno will, eventually, need to match them to promote adoption.

Collapse
 
buttercubz profile image
Erick Sosa Garcia Author

I agree, but although companies like npm / yarn review the packages, it does not mean that they are safe and in cases like Event-Stream They demonstrate that malicious code can be injected, the community is very attentive and detects this type of insertion, but it is a much bigger problem that does not depend on the execution environments, but on how we depend on third-party software.

Collapse
 
adam_cyclones profile image
Adam Crockett

Iv been working bundlless with snowpack lately, no you don't need a package manager. I think a snowpack frontend would work fantastically with Deno!

Collapse
 
adam_cyclones profile image
Adam Crockett

I wrote my own didi.land

Visualizing Promises and Async/Await 🀯

async await

☝️ Check out this all-time classic DEV post