corepack VS asdf

I'd love to use Bun for my projects, but it's not integrated into Corepack yet (and therefore you cannot pin the bun version w/ checksum in package.json)

https://github.com/nodejs/corepack/issues/295

Recently Node 16 LTS cycle started. One month and a few days before the carry-over, a super controversial package titled `coredeps` [0] was officially declared a core module and has been bundled with all official distributions since.

The NodeJS team refuses to discuss NPM because it's a separate 3rd party. And yet.... this NodeJS Core module comes pre-installed as a global NPM package.

We're just getting started.

This module installs or even reinstalls any supported package manager when you execute a script with a name that would match any that they'd recognise. Opt-in for only a short period, and intending to expand beyond package manager installations.

Amidst all that's been going on, NPM (Nonstop Published Moments) is working on a feature that silently hijacks user commands and installs foreign software. The code found in those compromised packages operated in a similar manner and was labeled a critical severity vulnerability.

The following might actually make you cry.

Of these third party remote distributions it's downloading, the number of checksum, keys, or even build configurations that are being verified is 0.

The game that Microsoft is playing with their recent acquisitions here is quite clear, but there's too much collateral damage.

[0] https://github.com/nodejs/corepack#readme

The new Node.js LTS v16 will be released at the end of October (without a fancy name assigned yet), it'll have Corepack preinstalled in the default configuration since v16.9.0. 👌

Corepack integration

Or if you need to manage more than just node, asdf has been around for over a decade and works great. You can use a .tool-versions to change runtimes for each project you have, in addition to managing your global runtime versions

https://asdf-vm.com/

Why not just use a tool like asdf (https://asdf-vm.com/) or mise (https://mise.jdx.dev/)?

These tools have the advantage of not being multi-taskers and can manage version for all your tools. You wouldn’t need pyenv and npm and rvm and…

We’ve even started committing the .mise.toml files for projects to our repos. That way, since we work on multiple projects that may need multiple versions of the same tool, it’s handled and documented.

The purpose of a version manager is to help you navigate or install any tools for development easily. Version Manager can be one tool for each dependency (e.g. NVM, g) or One tool for all dependencies (e.g. asdf, mise).

(asdf)[https://asdf-vm.com/] fully supports Python and almost any other language. I've been using it for Ruby, Python, Elixir, and other languages for years and never looked back.

Secondly, our development environments must not drift, because then code may behave differently and a change could pass on our machine but fail in production. There are many tools for locking down environments, e.g nix, pkgx, asdf, containers, etc., and they all share the common goal of being able to lock down dependencies for an environment accurately and deterministically. And that needs to be enforced in our local workflow so we don't have to rely on CI environments for correctness. All developers must have environments that are effectively identical to what runs in CI (which itself should be representative of the production environment).

There are many ways this can be done (e.g nix, pkgx, asdf, containers, etc.), and we won’t get into which specific tools to use, because we'll instead cover the essential essence of preventing environment drift:

I've really been enjoying asdf, which is a program that allows you to install specified versions of dev utilities as well as dynamically manage them via shims and .tool-versions files.

I use the asdf version manager.