Story of Package Managers

• Operating systems:
  • RedHat
  • Debian
  • MacOS
  • Windows
  • ...

• Programming languages
  • Javascript
  • Java
  • Objective C
  • Ruby
  • Go
  • Rust
  • Dart
  • PHP
  • Perl
  • ...

Dependency/package managers are often 2nd class citizens

• No dependency manager tooling
• No defined package format
• No transitive dependencies support
• No sticky versions
• No build/configuration tool integration
• No central artifact repository
• Broken system state
• Version conflicts
• Flakey versions

• Not every OS has/started with an official package manager
• Package/dependency managers are not created by language/OS designers
• Vendors do not really care about automation/dependencies
• Often shared library hosting is done by 3rd party

• Maven
• Gradle
• Ivy

• NPM
• Yarn
• Bower (dead?)
• Yeoman
• Webpack
• Parcel

npm i -someFlag somePackage

vs

npm i - someFlag somePackage

• https://www.npmjs.com/package/install (350k weekly downloads)
• https://www.npmjs.com/package/D (4k weekly downloads)
• https://www.npmjs.com/package/g (32k weekly downloads)
• https://www.npmjs.com/package/s (7k weekly downloads)

• Snyk
• AquaSecurity
• NPM
• Sonatype
• JFrog

• When entering the (Dev)Ops, be prepared to fight!
• You are forced to live in a dependency HELL!
• ... and a security nightmare!
• People make money on managing your dependencies! Yes, they do!
• Situation will not change any soon!

• Test (on different environments and with freshly fetched dependencies)
• Release (packages with consistent dependency versions; no wildcards for god sake!)
• Isolate (project and system package trees; containers can help)
• Cache (dependencies locally and in organization's artifact repositories)
• Keep (dependency lists in version control)
• Stick (to known versions and sign packages)

• https://stackoverflow.com/questions/6344076/differences-between-distribute-distutils-setuptools-and-distutils2/14753678
• https://blog.sonatype.com/open-source-attacks-on-the-rise-top-8-malicious-packages-found-in-npm
• https://www.infoq.com/news/2020/12/dockerhub-image-vulnerabilities/
• https://www.businessinsider.com/solarwinds-hack-explained-government-agencies-cyber-security-2020-12

• https://duo.com/decipher/hunting-malicious-npm-packages
• https://www.bleepingcomputer.com/news/software/empty-npm-package-has-over-700-000-downloads-heres-why/
• https://javascript.plainenglish.io/8-ridiculous-npm-packages-i-wish-didnt-exist-3f3ab74942e7
• https://blog.sonatype.com/malware-removed-from-maven-central
• https://www.prevasio.io/blog/operation-red-kangaroo-industrys-first-dynamic-analysis-of-4m-public-docker-container-images