What is the state of art in Programming Language Package Management?

Apparently there are many programming language specific package managers these days. Each with different takes on versioning, dependency resolution, version pinning / locking etc..

Usually I see Ruby’s bundler and Rust’s cargo heralded quite a lot on sites like Reddit and Hacker news.

What are the current best practices in programming language package management? Eg: local installation V/s global installation of packages, locking to version V/s just requiring major version be the same.

Also what are the important disadvantages and advantages of each of these choices?

Go to Source
Author: Linux Stallman

Does `npm audit` add any value when using `dependabot`

Context

There are multiple ways to scan projects for vulnerabilities.

Dependabot can be configured to check repositories for issues, and automatically submits pull requests to resolve.

NPM Audit will scan the packages used in an NPM solution for known vulnerabilities.

We’re trying to work out whether, if Dependabot is enabled, there’s any added value to using NPM Audit in our pipelines. I’m asking this solely from the perspective of what’s detected; not how the tools work (i.e. whether they can cause a pipeline to block/fail).

The actual question

Do both tools base their decisions on some common known-issue database, or is it common to see each tool detect different sets of problems?

Go to Source
Author: JohnLBevan