Package managers, such as NPM, are critical components of modern software development, allowing programmers to access large ecosystems full of useful packages. Given only a few lines of configuration, a package manager automates the downloading and installation of perhaps hundreds of (transitive) dependencies. To achieve this, package managers perform dependency solving to choose which concrete versions of dependencies to install. However, different solvers select dependency versions in very different ways, which affects correctness, code size, and other factors of the final bundled software in ways that are opaque and confusing to programmers. Moreover, the exact behaviors of dependency solvers are defined by their implementations, rather than by specifications, which inhibits systematic comparisons of dependency solvers, whether looking at formal properties or empirical evaluations. We present PacSolve, a unifying formal semantics of dependency solving. PacSolve is parameterized along several key axes, allowing it to compactly represent the key features and differences between NPM, PIP and Cargo, and to express a wide variety of alternative semantics for dependency solving. We then build an executable implementation of PacSolve using Rosette, and use it to implement a drop-in replacement for NPM called MinNPM. MinNPM allows the user to customize both the consistency criteria and optimization objectives. We show empirically that MinNPM shrinks the footprint of 21% of the top 1,000 most downloaded NPM packages with at least one dependency, and that it produces a newer set of dependencies for 14%. We also use MinNPM to answer key empirical questions about dependency solver design. Notably, we show that NPM's tree-solving semantics is only necessary for 1.9% of its packages, and that MinNPM gives higher quality solutions while taking only 2.6 seconds longer than NPM on average.
翻译:国家防范机制等软件包管理器是现代软件开发的关键组成部分,使程序设计员能够使用大量有用的软件包。鉴于只有几行配置,一个软件包管理器可以自动下载和安装大约数百种(透明)依赖性。为此,软件包管理者将依赖性解决方案用于选择哪一种具体版本的可安装的依赖性解决方案。然而,不同的国家防范机制管理者只以非常不同的方式选择依赖性版本,这影响到国家防范机制、代码大小和最终捆绑软件的其他因素的正确性能,对程序设计者来说是不透明、不易理解的。此外,依赖性解决者的确切行为是由其实施过程确定的,而不是由规格决定的,这阻碍了对依赖性解决者的设计者进行系统化比较,无论是看正式的属性还是经验性评估。我们介绍PacSolve, 一种统一的解决依赖性标准。PacSolveve, 沿着几个关键轴进行比较,这只代表了国家防范机制、PIP和货物之间的关键特征和差异,以及表达出多种解决依赖性的替代方法。我们随后需要的可操作性Mmmalmmmmmmmmmmmmmmmmmmmmdroom 。我们用一个最差的软化的软化的软化软化的软化的软化的软化版本化版本化版本,用Sexmmmmmmmmmmmmmmmolational