npm did not always do it right, and IMO still does not do it completely right (nor does pnpm, my preferred replacement for npm -- but it has `--frozen-lockfile` at least that forces it to do the right thing) because transitive dependencies can still be updated.
cargo can also update transitive dependencies (you need `--locked` to prevent that).
Ruby's Bundler does not, which is preferred and is the only correct default behaviour. Elixir's mix does not.
I don't know whether uv handles transitive dependencies correctly, but lockfiles should be absolute and strict for reproducible builds. Regardless, uv is an absolute breath of fresh air for this frequent Python tourist.
npm will not upgrade transient dependencies if you have a lockfile. All the `forzen-lockfile` or `npm ci` commands does is prevent upgrades if you have incompatible versions specified inside of `package.json`, which should never happen unless you have manually edited the `package.json` dependencies by hand.
(It also removed all untracked dependencies in node_modules, which you should also never have unless you've done something weird.)
In cold weather, one should always dress for 5℃ warmer than the temperature outside when you have a bike longer than 5 km. Runners pretty much have to do the same. Your body heat and good layering will take care of everything else.
Don't need one in Toronto within a ½ day or so of the snow stopping for the major bicycle routes (including the MGT).
Calgary apparently also does a good job of clearing its bike lanes.
And I do my Costco shopping by bike year-round. I think I've used the car for large purchases at Costco twice in the last year.
I _rarely_ drive my car anywhere in Toronto, and find the streets on bike safer than most of the sidewalks in January -- they get plowed sooner than most homeowners and businesses clear the ice from their sidewalks.
And in Toronto we're rank amateurs at winter biking. Look at Montreal, Oslo, or Helsinki for even better examples. Too bad we've got a addle-brained carhead who doesn't understand public safety or doing his own provincial as our premier.
I've made a private MacPorts port[1]; if I find that I use it frequently enough, I might contribute it to the main MacPorts port repo[2].
One thing that's missing from my perspective (and this is probably true for Homebrew packaging as well, but I don't do that) is Git tags / GitHub releases associated with your Cargo releases.
I can work around it for now by using an explicit release (`9ccd9bf53f9a309ccda42b5c17e9c1056493fb90` is what I'm assuming was your 0.1.0 release point).
I've also assumed that npm10 is sufficient (which currently installs node22 on MacPorts).
MacPorts separates `node` and `npm` packages like many package managers do:
npm10 @10.9.3 (devel)
Description: npm is a package manager for node. You can use it to install and publish your node programs. It manages dependencies and does other cool stuff.
Homepage: https://www.npmjs.com/
Library Dependencies: nodejs22
Conflicts with: npm3, npm4, npm5, npm6, npm7, npm8, npm9, npm11
Platforms: any
License: MIT
Policy: openmaintainer
The Portfile that I created specifies that if `npm` is present in $PATH (which isn't the user's $PATH because MacPorts uses `sudo`) then it should be used and assumed correct; otherwise, it says that the `npm10` port must be installed (because the instructions for oxdraw indicate that one must run `npm install && npm build`).
I think that trusted publishing has had a bigger impact than the gem signing that was introduced years ago and never worked well because the infrastructure wasn't present.
The maintainer is eccentric. He refuses to use anything that runs JavaScript out of a sense of "Free Software Purity", which means that he cannot use most of the ecosystem to which Ruby has migrated.
He has only contributed to Ruby via the ruby-core mailing list (he does not use the RubyMine interface which backs ruby-core) and the main Ruby git repo hosted by the Ruby team, never anything on GitHub.
I'm sort of surprised that the RubyGems MFA threshold hasn't been updated (it was 180M total downloads in 2022; my gems combined have > 2.5B downloads, so I was never not going to pass the threshold), but he's under 70M downloads shy and each release gets about 15M downloads or so.
I think that his position is irresponsible in today's threat environment, but given the amount of work that I'm doing for OSS maintenance that's just responding to bloody Dependabot updates…
> … Firefox's origin is in a hacker rebellion against corporatist awfulness
It literally was not.
The Mozilla project and foundation (which led to the MPL) was a dying corporation's attempt to ensure that its source code would outlive its destruction by a monopolist. There was some push from hacker idealists inside said corporation to make this happen, but it still took the corporation's positive action in order for this to happen and not result in everything being sold to the highest bidder in a firesale.
Firefox was an independent hacker's reimagining of what just Mozilla the Browser might be if it didn't have all the other parts which made Mozilla the Suite. After it picked up steam and development stalled on the excessively complex suite, it was adopted back into the Mozilla Foundation and has become what people have used for a couple of decades.
Pure speculation on my part, but I think reasonably well informed: if Firefox hadn't been adopted back into the Mozilla Foundation, it's highly unlikely that the Foundation would have remained relevant but it's also highly unlikely that Firefox would have survived even as long as it has. There simply wasn't enough momentum for it to become a Linux-like project, and Firefox would have disappeared from desktop even faster.
cargo can also update transitive dependencies (you need `--locked` to prevent that).
Ruby's Bundler does not, which is preferred and is the only correct default behaviour. Elixir's mix does not.
I don't know whether uv handles transitive dependencies correctly, but lockfiles should be absolute and strict for reproducible builds. Regardless, uv is an absolute breath of fresh air for this frequent Python tourist.