From the comments here it looks like the project is missing a comparison table with other, similar tools. There are already questions about nvm, npx [1], asdf-vm [2], nodenv [3] (which also relies on shims).
I've only used nvm so far (it was enough effort to get the team to adopt one such tool, and nvm was the main one at the time), but as far as I can see the main differences are speed, native Windows support, and being able to specify both the Node and npm/Yarn versions — that latter point is an important part in getting reproducible results across machines as well. Additionally, at least nvm does encourage pinning to a major version, allowing people's minor/patch versions still to diverge. (The upside I suppose is that that can save you quite a bit of disk space with relatively manageable risks.)
Nix is one of the few package managers that really obviates building these custom solutions over and over for each different language.
You can also use nix ontop of any distro. It's UX isn't as good as a custom built solution, but if you're a polyglot you'll appreciate not needing to use a different solution for java, node, python etc
Unfortunately, Windows support is not there yet (or am I wrong?).
I stopped using Linux as my main distro. I was tired of maintaining my OS with the only argument "but I can do whatever I want", and I've been doing that for 10 years (with Debian, Gentoo and even a LFS at some point), no more.
Windows 10 works well. The WSL works well. Docker Desktop works well (unless you use WSL2, then it's CPU/RAM/Disk IO hungry). chocolatey works well.
Volta shows promise and I like that it's fast. But to me it seems like it will be hard to adopt until it supports `.node-version` file (a working standard among node version managers). For example, while some may want to use Volta, others will likely be using `nvm`. And a project's CI likely uses `nvm`. Volta has `volta` property for `package.json` to pin the node and npm version. That's nice and more specific than the `engines` property which can be a range of versions. But it would be better to keep things DRY and leverage the working standard for how node version managers keep track of the node version. (Otherwise a project has to maintain node version information in multiple places.)
We've been using volta at sentry.io for probably close to two years now, and I have to say, it's one of those tools I almost never think about because it legitimately "just works" (and is very very fast).
It has definitely helped to keep our team's environment in sync as we grow in # of people building Sentry. It's pretty much eliminated the need to ask 'are you on node / yarn x.y.z?
I switched from nvm to Volta. it is so much faster! if you had nvm switching your node versions per directory in your bash configs, you know it takes sometimes up to a second to cd into a directory. Volta does it so much better with `volta pin`
nvm allows to install and switch node versions, volta does it automatically. It creates a proxy executable which checks package.json, nvmrc, and automatically chooses proper node version; and it remembers the version used when globally installing (npm -g) so stuff will keep working forever, without worrying "can I update node? Are all global deps compliant?"
Also, volta is cross-platform. Nvm is macos only and nvm-windows is a totally different project (slightly different behaviors etc)
Although, nvm use should not even be necessary if your terminal is configured that way. Not having .nvmrc versions is less explicit, how would I change e.g. LTS and newest node versions in Volta?
That's not really going to help most people. It's not hard to obfuscate the malicious parts of the script.
I remember someone saying that you could essentially backdoor a target machine by rolling back certain libraries by a few weeks to undo security patches. I don't know modern *nix package management well enough to know if that's true, but it's a scary idea.
I have never heard of asdf. When we started using volta (back then notion) more than two years ago, it replaced nvm for us which was just very slow and frustrating.
So not sure what asdf does or how it behaves, but volta is basically a painless "forget that you even have it installed" version of nvm.
Would be curious to hear what makes it complicated. Volta is from my experience a "works outside the box" type of arrangement. It installs quickly and once you have it, you no longer think about it.
As this is another shim based manager, you can expect that at some point in time, someone in your team will have a broken setup due to shims generation failing for some reason or because something else messed with the way the tool relies on the PATH.
This has been my experience with rbenv, asdf and all other solutions that relies on shims.
Depending on what you are trying to do (for example running short lived CLI), you will incur into a slightly performance cost because of the bash/zsh/fish shell you need to spawn before running your code. In ruby's case rbenv/asdf adds around 20-50ms (could be more etc depending on your shell and your shells initialization code etc).
> you will incur into a slightly performance cost because of the bash/zsh/fish shell you need to spawn before running your code
While Volta does have a shim, it’s written in a sensible systems language (Rust)[0], so it does not spawn a shell. It only determines the correct process and arguments to run and launches it as a subprocess. There will be overhead to read from disk and determine which version of node/npm to run and a syscall to actually launch the subprocess, but that should be very minimal and nowhere near the cost of initializing a shell.
The result is that Volta feels faster than similar tools that are written in scripting/shell languages. It also enables better Windows support since there’s no reliance on a system having a POSIX shell.
I remember contributing a fix for an expansion issue in either bash or zsh (can't really recall) for nvm. Just running it was very, slow. This slowness is primarily why I usually use guix / nix on my distro of choice instead.
I'm glad this exists as I can imagine this way of handling which node to use is much faster than how nvm was doing it.
There seems to be so many of these tools for Javascript. NVM, NPX, n, asdf, Volta. Coming from a Python background I don't understand why the tooling here is so much more complete than for other languages.
> Coming from a Python background I don't understand why the tooling here is so much more complete than for other languages.
Is python immune to this problem? I think not, in fact, I think it is much worse because we have to "hack" how packages are installed by creating a "virtual environment." How many different tools are there to manage python dependencies?
cool, but am i like a complete grandpa if i'm a bit alarmed by how everyone these days seems to think curl bashing with stranges is totally normal and fine?
please, instead of creating something that's language/tool specific, work on asdf-vm[0]. We all benefit if we don't have to remember which version manager to use for which tool/language/whatever.
[+] [-] thih9|4 years ago|reply
[1]: https://news.ycombinator.com/item?id=27023701
[2]: https://news.ycombinator.com/item?id=27023909
[3]: https://news.ycombinator.com/item?id=27023881
[+] [-] Vinnl|4 years ago|reply
[+] [-] X6S1x6Okd1st|4 years ago|reply
You can also use nix ontop of any distro. It's UX isn't as good as a custom built solution, but if you're a polyglot you'll appreciate not needing to use a different solution for java, node, python etc
[+] [-] linkdd|4 years ago|reply
Unfortunately, Windows support is not there yet (or am I wrong?).
I stopped using Linux as my main distro. I was tired of maintaining my OS with the only argument "but I can do whatever I want", and I've been doing that for 10 years (with Debian, Gentoo and even a LFS at some point), no more.
Windows 10 works well. The WSL works well. Docker Desktop works well (unless you use WSL2, then it's CPU/RAM/Disk IO hungry). chocolatey works well.
[+] [-] SkyMarshal|4 years ago|reply
https://grahamc.com/blog/erase-your-darlings
https://mt-caret.github.io/blog/posts/2020-06-29-optin-state...
[+] [-] unknown|4 years ago|reply
[deleted]
[+] [-] brianzelip|4 years ago|reply
[+] [-] darcyparker|4 years ago|reply
https://github.com/volta-cli/volta/issues/959
[+] [-] jiofih|4 years ago|reply
[+] [-] Evan-Purkhiser|4 years ago|reply
It has definitely helped to keep our team's environment in sync as we grow in # of people building Sentry. It's pretty much eliminated the need to ask 'are you on node / yarn x.y.z?
[+] [-] msoad|4 years ago|reply
[+] [-] the_mitsuhiko|4 years ago|reply
[+] [-] sergiomattei|4 years ago|reply
[+] [-] jakub_g|4 years ago|reply
Also, volta is cross-platform. Nvm is macos only and nvm-windows is a totally different project (slightly different behaviors etc)
[+] [-] a3w|4 years ago|reply
https://gist.github.com/keimlink/def691fe2253a33d3e15f021458...
Although, nvm use should not even be necessary if your terminal is configured that way. Not having .nvmrc versions is less explicit, how would I change e.g. LTS and newest node versions in Volta?
[+] [-] _jplc|4 years ago|reply
[+] [-] rjsw|4 years ago|reply
[1] https://common-lisp.net/project/asdf/
[+] [-] YPCrumble|4 years ago|reply
Anyone doing this after seeing the Codecov hack is asking for pain and suffering. Make sure to read every line of that script before running it.
[+] [-] runeks|4 years ago|reply
[+] [-] jcla1|4 years ago|reply
https://www.idontplaydarts.com/2016/04/detecting-curl-pipe-b...
[+] [-] smt88|4 years ago|reply
I remember someone saying that you could essentially backdoor a target machine by rolling back certain libraries by a few weeks to undo security patches. I don't know modern *nix package management well enough to know if that's true, but it's a scary idea.
[+] [-] antihero|4 years ago|reply
[+] [-] dstaley|4 years ago|reply
[+] [-] the_mitsuhiko|4 years ago|reply
So not sure what asdf does or how it behaves, but volta is basically a painless "forget that you even have it installed" version of nvm.
[+] [-] steelbrain|4 years ago|reply
Installed using n-install (https://github.com/mklement0/n-install)
[+] [-] the_mitsuhiko|4 years ago|reply
[+] [-] vi2837|4 years ago|reply
[+] [-] brodock|4 years ago|reply
This has been my experience with rbenv, asdf and all other solutions that relies on shims.
Depending on what you are trying to do (for example running short lived CLI), you will incur into a slightly performance cost because of the bash/zsh/fish shell you need to spawn before running your code. In ruby's case rbenv/asdf adds around 20-50ms (could be more etc depending on your shell and your shells initialization code etc).
[+] [-] curun1r|4 years ago|reply
While Volta does have a shim, it’s written in a sensible systems language (Rust)[0], so it does not spawn a shell. It only determines the correct process and arguments to run and launches it as a subprocess. There will be overhead to read from disk and determine which version of node/npm to run and a syscall to actually launch the subprocess, but that should be very minimal and nowhere near the cost of initializing a shell.
The result is that Volta feels faster than similar tools that are written in scripting/shell languages. It also enables better Windows support since there’s no reliance on a system having a POSIX shell.
[0] https://github.com/volta-cli/volta/blob/main/src/volta-shim....
[+] [-] kissgyorgy|4 years ago|reply
[+] [-] jbverschoor|4 years ago|reply
[+] [-] prussian|4 years ago|reply
[+] [-] Aeolun|4 years ago|reply
[+] [-] spamalot159|4 years ago|reply
[+] [-] qudat|4 years ago|reply
Is python immune to this problem? I think not, in fact, I think it is much worse because we have to "hack" how packages are installed by creating a "virtual environment." How many different tools are there to manage python dependencies?
[+] [-] capableweb|4 years ago|reply
[+] [-] Semaphor|4 years ago|reply
[+] [-] elipsey|4 years ago|reply
[+] [-] coldtea|4 years ago|reply
[+] [-] salzig|4 years ago|reply
[0]: https://github.com/asdf-vm/asdf
[+] [-] wiradikusuma|4 years ago|reply