# Porting applications that use dependency managers



## tuaris (Feb 21, 2020)

I'd like to get some opinions of how to best approach 'porting' applications that use external dependency managers such as PHP's composer, Java's maven/gradel, or NodeJS's yarn/npm.  Here are some ways I've seen and experimented with:

1) I notice that the ports system support Rust's cargo and am wondering if there was a similar macro for composer, yarn, maven? 
2) I've seen some ports 'pre-package' the dependency cache, host it somewhere on Github, then add it to DISTFILES.  I'm not really a fan of this approach.
3) One of the approaches I was experimenting with was to add some pre-fetch and post-fetch targets, copy the package.json/compose.sjon file into a sub directory under distfiles, run the dependency manager, and tar it up.  Then a post-extract target to put the cache to the expected location.

Ideally the first item on the list would be the approach I'd like to take.


----------



## ljboiler (Feb 21, 2020)

#2 is the only way I can see that you can guarantee that the dependencies needed to build something don't get yanked out from under you, especially when some providers of those dependencies like to aggressively purge older versions, or rearrange their repositories...


----------



## kpedersen (Feb 27, 2020)

tuaris said:


> 3) One of the approaches I was experimenting with was to add some pre-fetch and post-fetch targets, copy the package.json/compose.sjon file into a sub directory under distfiles, run the dependency manager, and tar it up.  Then a post-extract target to put the cache to the expected location.



We use this approach internally at work and it works great until... It doesn't work (language based package managers suck and are flawed in so many ways!). We then need to fiddle with it to fix it. It is not deterministic enough.

Internally it still kinda works but I feel that it is too fragile for something like the FreeBSD ports collection.

Note: If you do go this approach, you might like to use the following:


```
npm install --ignore-scripts
```

It prevents attempting to compile native code on the host build machine (that will not necessarily align with your target architecture. NPM is too weak to cross compile (did I mention language based package managers suck?))


----------

