[zdw]

The downside of the "bundle everything" approach (which is also used by Docker and it's ilk), is that whenever one of those dependencies needs to be fixed or upgraded (for reliability or security reasons), you have to find every instance of it on the entire system, which soon becomes an extremely difficult task.

Shared libraries don't have this problem. Yes, they're separate packages, but having dependencies that can be upgraded separately simplifies upgrading that dependency.

[cortesoft]

This is assuming that just upgrading the shared library will work for everything. Too often, some things are broken by the upgrade, and since you weren't explicitly trying to update the thing that broke, you might not notice until a later date, at which point you may struggle to remember what was updated that it relies on.

[zdw]

I don't disagree that Hyrum's Law[1] is definitely a thing, but in practice with libraries that attempt SemVer or similar compatibility guarantees and understand that they'll be used in a shared library environment, breakage is not that common.

It also doesn't work for some ecosystems (like Go) where the practice is to prefer static linking.

1: https://www.hyrumslaw.com

[vbezhenar]

> The downside of the "bundle everything" approach (which is also used by Docker and it's ilk), is that whenever one of those dependencies needs to be fixed or upgraded (for reliability or security reasons), you have to find every instance of it on the entire system, which soon becomes an extremely difficult task.

How it becomes difficult task? Just download things and replace them, when I ask to update. I have fast internet and big SSD, that's fine for me. 90% of software I'm using on my Mac are installed via alternative ways and they already bundle all the dependencies, so I already living with it.

[whalesalad]

There are also ways to abstract the files on disk such that it appears every module has its own copy of “foo.so” but they’re all the same bytes on disk. Using content hashes for example. I believe this is how pnpm works.

I don’t buy the shared libraries solve problems argument either. Lots of software are pinned to a specific version anyway so just because some security update has come out for a shared lib doesn’t mean it will work with all your other software.