Misbrands : pip and npm
Table of Contents
This new entry in the “misbrands” series will be about two packages managers : pip and npm. pip is the package installer for Python and npm is a registry and the default package manager for Node.js based softwares. This parody displays the npm logo with “pip” written inside instead of “npm”. These two package manager are similar in their goals and purposes but their functionalities can differ.
pip is a package manager written with and for Python. It uses the Python Package Index “PyPI” as a default registry but the users can setup their own one (for example, the Sonatype Nexus Artifact Manager can host a Python Package repo). pip was created by Ian Bricking, the creator of the virtualenv package, in 2008 as an alternative to “easy_install”. Named “pyinstall” at first, the tool was renamed following several suggestions the author had on his blog. The Python Packaging Authority is established in 2011 in order to ensure the maintenance of pip and pypi. This working group aims to maintain and provide the core set of the software projects used in Python packaging.
pip is usually provided with Python distributions and can be upgraded as a package by itself. It is a very simple command-line tool that can be invoked like this :
# install a package pip install a-package # upgrade the pip package pip install --upgrade pip # remove a package pip remove a-package # install a specific version pip install 'a-package==2.0' # install a minimum version pip install 'a-package>=1.0'
pip can install, remove, list, check, download, search in its index, and has various other features. It can also generate the package list installed on the Python environment in order to make its famous
requirements.txt file. The requirements files is one of the most important feature of pip because it’s a simple text file that contains all dependencies the Python script could require. Combined with virtualenv, this feature can help to setup reproducible Python setup for testing a software in a clean setup. The requirements file can be used like this :
pip install -r requirements.txt
The requirements files is just a list of packages, where the user can specify the minimum version, expected version, or nothing and pip will take the latest. The last part is not the most efficient because pip could be very slow when the dependencies resolution is complicated.
A Python package can also be distribution file like a “source distribution” (a tar.gz archive containing the metadata and the essential sources for installing with a tool like pip) or a Wheel package, a built distribution that also contains the metadata and setup files telling pip what to do.
As far I as know, pip does not have any logo, so I can’t make any comment regarding it. It’s a tool I use a lot as my scripts are mostly written with Python, so this package manager is very useful.
The npm logo, © npm Inc.
npm is a client for accessing the npm registry. The npm registry is the official one, but anybody can host its own one or use an alternative hosting service (for example GitHub Packages can host a npm registry).
yarn made by Facebook, which is entirely compatible.
package.json metadata file containing the project informations and its dependencies, formatted in JSON. The dependencies can be cached and fixed by the
package-lock.json that contains the exact version used by the project. npm can evaluate the semantic versioning and the command-line is able to bump the version just by asking for a “minor”, “major”, or else supported keywords, and npm takes the actions of updating version, committing, and tagging the code.
The usual usage of the npm client is :
# install the dependencies npm install # build the application npm run build # launch unit tests if available npm run test # bump version to major npm bump major
As a very popular tool, the npm registry is regularly targeted by attacks and some of its packages can be altered to provoke outages on the softwares that relies on them (even by their own maintainers). The motives are various, like packages that contained payload able to stole bitcoin from certains applications or political revendications with a very recent case of a package sabotaged by its maintainer to delete files from users with Belorussian and Russian IP address in protest of the war in Ukraine.
About the last part, it’s not specific to npm as every registry can be targeted by malicious attackers. These tools are awesome, however the sad part is when the developers relies too much on them and forgot to check their dependencies or even document them. Also, sometimes the dependencies are not updated, opening security breaches in the software. This is why the code must be very regularly scanned by security analysis tools to ensure you’re not running outdated pieces of software.
The npm logo is pretty simple, the brand name is written with big letters in lowercase. When I see this logo, I have the feeling to see a ghost flying with its hands boooo.
Like I’ve said sometimes here, I’m not a developer so I haven’t used a lot npm unless for building delivered softwares in pro context and testing things in personal. I had to make sometimes CI build jobs for Node.js applications and I must admit that this tool is very nice with its bumping strategy and various command-lines to obtain data about a package or a project.