Garbage Collector

The little space of a writer, tinkerer, and a coffee addict

Misbrands : pip and npm

- 6 minutes reading time
Misbrands : pip and npm
License CC-0

This new entry in the “misbrands” series will be about two packages managers : pip and npm. pip is the package installer for Python and npm is a registry and the default package manager for Node.js based softwares. This parody displays the npm logo with “pip” written inside instead of “npm”. These two package manager are similar in their goals and purposes but their functionalities can differ.

pip

pip is a package manager written with and for Python. It uses the Python Package Index “PyPI” as a default registry but the users can setup their own one (for example, the Sonatype Nexus Artifact Manager can host a Python Package repo). pip was created by Ian Bricking, the creator of the virtualenv package, in 2008 as an alternative to “easy_install”. Named “pyinstall” at first, the tool was renamed following several suggestions the author had on his blog. The Python Packaging Authority is established in 2011 in order to ensure the maintenance of pip and pypi. This working group aims to maintain and provide the core set of the software projects used in Python packaging.

pip is usually provided with Python distributions and can be upgraded as a package by itself. It is a very simple command-line tool that can be invoked like this :

# install a package
pip install a-package
# upgrade the pip package
pip install --upgrade pip
# remove a package
pip remove a-package
# install a specific version
pip install 'a-package==2.0'
# install a minimum version
pip install 'a-package>=1.0'

pip can install, remove, list, check, download, search in its index, and has various other features. It can also generate the package list installed on the Python environment in order to make its famous requirements.txt file. The requirements files is one of the most important feature of pip because it’s a simple text file that contains all dependencies the Python script could require. Combined with virtualenv, this feature can help to setup reproducible Python setup for testing a software in a clean setup. The requirements file can be used like this :

pip install -r requirements.txt

The requirements files is just a list of packages, where the user can specify the minimum version, expected version, or nothing and pip will take the latest. The last part is not the most efficient because pip could be very slow when the dependencies resolution is complicated.

A Python package can also be distribution file like a “source distribution” (a tar.gz archive containing the metadata and the essential sources for installing with a tool like pip) or a Wheel package, a built distribution that also contains the metadata and setup files telling pip what to do.

As far I as know, pip does not have any logo, so I can’t make any comment regarding it. It’s a tool I use a lot as my scripts are mostly written with Python, so this package manager is very useful.

npm

npm

The npm logo, © npm Inc.

npm, at first referred as “Node Package Manager” and later as “npm is not an acronym”, is a package manager for the JavaScript programming language maintained by the npm, inc. company. Its first release came out in 2010, developed by Isaac Z. Schlueter, and the company of the same name opened on 2014. The company was purchased in 2020 by GitHub, becoming a Microsoft subsidiary just as its owner.

Like pip, the purpose of npm is to provide a package manager for the JavaScript runtime Node.js. “npm” is the name of a company, a command-line tool, and also the name of the registry where packages can be publicly published or privately with paying options. The command-line tool npm is a client for accessing the npm registry. The npm registry is the official one, but anybody can host its own one or use an alternative hosting service (for example GitHub Packages can host a npm registry).

npm is a recommended and an installed feature by the Node.js installer. The client interacts with the registry and allow users to consume and distribute JavaScript modules available in the registry. The packages are distributed in the CommonJS format and include a JSON-formatted metadata file. In 2020, the npm registry claimed hosting over 1.3 millions packages, and the company also says they have 11 millions developers using its services. Alternatives to npm also exists, like yarn made by Facebook, which is entirely compatible.

As a package manager, npm is meant to manage the dependencies between the modules of a particular project, as well as globally-installed JavaScript tools. The package relies on a package.json metadata file containing the project informations and its dependencies, formatted in JSON. The dependencies can be cached and fixed by the package-lock.json that contains the exact version used by the project. npm can evaluate the semantic versioning and the command-line is able to bump the version just by asking for a “minor”, “major”, or else supported keywords, and npm takes the actions of updating version, committing, and tagging the code.

The usual usage of the npm client is :

# install the dependencies
npm install
# build the application
npm run build
# launch unit tests if available
npm run test
# bump version to major
npm bump major

As a very popular tool, the npm registry is regularly targeted by attacks and some of its packages can be altered to provoke outages on the softwares that relies on them (even by their own maintainers). The motives are various, like packages that contained payload able to stole bitcoin from certains applications or political revendications with a very recent case of a package sabotaged by its maintainer to delete files from users with Belorussian and Russian IP address in protest of the war in Ukraine.

About the last part, it’s not specific to npm as every registry can be targeted by malicious attackers. These tools are awesome, however the sad part is when the developers relies too much on them and forgot to check their dependencies or even document them. Also, sometimes the dependencies are not updated, opening security breaches in the software. This is why the code must be very regularly scanned by security analysis tools to ensure you’re not running outdated pieces of software.

The npm logo is pretty simple, the brand name is written with big letters in lowercase. When I see this logo, I have the feeling to see a ghost flying with its hands boooo.

Like I’ve said sometimes here, I’m not a developer so I haven’t used a lot npm unless for building delivered softwares in pro context and testing things in personal. I had to make sometimes CI build jobs for Node.js applications and I must admit that this tool is very nice with its bumping strategy and various command-lines to obtain data about a package or a project.

Stay in touch !

If you want to be informed when I publish a new article, you can subscribe via e-mail or RSS. Checkout the button above for more options.

Subscribe

Enjoyed this post ?

Did you know that I'm a coffee lover ? You can help me to keep going by fueling my coffee machine.

Buy me a coffee

📑 Table of Contents

📚 Read my latest book

Discover more

Follow me on Mastodon

🏷️ All Tags 📄 All Posts 🗺 Sitemap RSS Feed