Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

I want to specify only those deps that I use directly. Imagine a `foobar` package, that has `babel` peer dependency because it does some transpiling or whatever. For me as a user of `foobar`, that Babel requirement could have been regular dependency instead of peer. I don't care, I don't use Babel. In another words - if a package manager has all the information necessary to install all dependencies, why should I add another, redundant information to my package.json?


As the post you shared yourself explains, peer dependencies were meant for plugins/extensions. It would make no sense for you to depend on “foobar” directly without having babel as a dependency already.

If foobar can be used standalone, then babel is a standard dependency, not a peer dept.


Technically true, but not how it is actually done. People very often specify packages like Babel, React, TypeScript, GraphQL, etc. as peer dependencies even when they shouldn't.

Anyway, in any case, auto installing peer deps solves both situations. There really is no reason to not auto install them.


There really is - not everybody is content with having 600MB of unused dependencies being pulled in for no reason. This approach slows things down, including CI, increases surface area for security risks and makes your dependency tree inscrutable. All to account for obviously wrong use of the package manager.


By "autoinstalling peer deps" I don't mean "installing unnecessary deps" - those peer dependencies are required, you still have to install them, I just don't want to manually add them to my package.json.


We’ll, it’s hard to argue with that, we simply have very different expectations. You want NPM to automatically fix what is clearly user error so that installing random plugins “just works”, and don’t care that 3rd+ level deps might end up pulling a hundred extra packages you never asked for; I want it to follow its own dependency management rules to the letter and not have anything installed by surprise.

Clearly there is an audience for the former.


Nothing is installed by surprise. Peer dependencies are not optional (you have to specify them as such). There is no user error and there is nothing for npm to fix.

I have some app:

  {
    "name": "some-app",
    "dependencies": {
       "foo": "^1.0.0"
    }
  }
foo specifies some peer dep:

  {
    "name": "foo",
    "peerDependencies": {
       "bar": "^1.0.0"
    }
  }
  
Now some-app doesn't directly use bar, so I didn't add it to package.json. Npm@7 and newer will install everything: foo and bar. If I used package manager without auto installing peer dependencies, I would have to manually update my package.json:

  {
    "name": "some-app",
    "dependencies": {
       "foo": "^1.0.0",
       "bar": "^1.0.0"
    }
  }
  
But in both cases node_modules will contain foo and bar. There are no "extra packages you never asked for". Adding bar as dependency of some-app is completely redundant information.

Now, it's possible that there are packages that don't really require some peer dependency installed, and therefore thery are installed needlessly. But that's problem of those poorly developed packages, not mine. Why should I waste time to manually specify what should and should not be installed?


That implies babel was a dependency not a peer one.

Peer dependencies are for extensions and for plugins to an existing stack, as material-ui has a peer of react or io-ts on fp-ts


I am so confused about the purpose of a "peer dependency" in the first place then.


You can read here why the peer deps were introduced: https://nodejs.org/es/blog/npm/peer-dependencies/

Imagine this structure of packages:

  your-app/
  ├── dep-a/
  │   └── dep-c
  ├── dep-b  
  └── peer-dep
Very simplified: `dep-c` is dependency of `dep-a`, so it is installed in its node_modules, but `peer-dep` is peer dependency of `dep-a`, so it is in node_modules of `your-app`. `dep-b` could also define `peer-dep` as its peer dependency, so it is installed only once. When npm switched to flat node_modules structure, peer deps become somewhat redundant, but not quite. Pnpm, which uses symlinks to achieve proper node_modules structure while avoiding long filenames, combined with auto install of peer deps would be ideal package manager.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: