When performing dependency resolution,
a package manager makes choices about which versions
of packages to install. These choices impact the final bundled application
in a variety of ways, such as:
correctness, code size, performance and security vulnerabilities.
Different production package managers (such NPM, Pip and Cargo)
can produce very different results when resolving identical lists of dependencies,
which can lead to users being confounded and having little choice over
dependency resolution behavior.
We address this by developing a unifying formal model of the semantics
of dependency resolution, and show that this model can encompass and highlight
the key differences between NPM, Pip and Cargo.
Further, our formal model delineates a design space of hypothetical package
managers, which popular package managers only inhabit a part of.
We enable empirical exploration of this design space by implementing MinNPM,
a drop-in replacement for NPM which allows for user-specified
customization of the dependency resolution semantics.
Using MinNPM we explore the empirical differences within the design space,
both among existing package managers' semantics, and with novel semantics
which allow us to directly minimize arbitrary optimization objectives.