Chaos and Order

💡 왼쪽 원문을 읽으면서 오른쪽에 따라 써보세요. Tab 키로 힌트를 받을 수 있습니다.

Introduction

Package managers are the backbone of software development infrastructure. Behind the everyday commands we use, like npm install, pip install, brew install, and yum install, lie complex mechanisms for dependency resolution, version management, and binary distribution.

In this post, we dissect the internals of four major package managers and walk through how to register your own software in each ecosystem.

Part 1: npm Internals (JavaScript / Node.js)

1-1. What Is npm?

npm (Node Package Manager) is the standard package manager for the JavaScript ecosystem. It has three core components.

Registry: The central repository where all packages are stored. Hosted at registry.npmjs.org and distributed worldwide via CDN. As of 2026, over 3 million packages are registered.

package.json: The file that declares project metadata and dependencies.

{
  "name": "my-project",
  "version": "1.0.0",
  "dependencies": {
    "express": "^4.18.0",
    "lodash": "~4.17.21"
  },
  "devDependencies": {
    "jest": "^29.0.0"
  }
}

node_modules: The directory where dependencies are actually installed. npm uses a nested structure by default but flattens it as much as possible through hoisting.

1-2. Dependency Resolution

npm's dependency resolution can be explained through four key concepts.

Semver (Semantic Versioning):

npm follows semver rules. Versions use the MAJOR.MINOR.PATCH format, and each range specifier has a specific meaning.

Specifier	Meaning	Example
`^4.18.0`	Fixed MAJOR, allow MINOR and PATCH	4.18.0 up to but not 5.0.0
`~4.17.21`	Fixed MAJOR and MINOR, allow PATCH only	4.17.21 up to but not 4.18.0
`4.18.0`	Exactly that version	4.18.0 only
`>=4.0.0`	That version and above	4.0.0 and higher

Lock Files:

package-lock.json records the exact version, integrity hash, and resolved URL of every installed package. This ensures the entire team can reproduce identical dependency trees.

{
  "name": "my-project",
  "lockfileVersion": 3,
  "packages": {
    "node_modules/express": {
      "version": "4.18.2",
      "resolved": "https://registry.npmjs.org/express/-/express-4.18.2.tgz",
      "integrity": "sha512-abc123..."
    }
  }
}

Hoisting:

If package A depends on lodash 4.17.21 and package B also depends on lodash 4.17.21, npm installs lodash only once in the top-level node_modules. However, if different versions are required, duplicates are installed in nested node_modules directories.

Phantom Dependencies:

Because of hoisting, you can import packages that your project does not directly depend on. A package may be usable simply because it was hoisted by another dependency, even though it is not declared in your package.json. This leads to breakages when the dependency tree changes.

1-3. npm vs yarn vs pnpm

Here is a comparison of the three main package managers.

Feature	npm	yarn (Berry)	pnpm
Storage	node_modules (hoisted)	Plug'n'Play (PnP)	content-addressable store + symlinks
Lock file	package-lock.json	yarn.lock	pnpm-lock.yaml
Phantom dep prevention	No	Yes (strict PnP)	Yes (isolated node_modules)
Disk usage	High	Low	Very low (hard links)
Workspaces	npm workspaces	yarn workspaces	pnpm workspaces
Performance	Average	Good	Very good

The Core Idea of pnpm:

pnpm stores packages once in a global content-addressable store and creates hard links in each project's node_modules. Even if 10 projects use the same version of lodash, it is stored only once on disk.

~/.pnpm-store/
  v3/
    files/
      ab/cdef1234...   # actual files of lodash 4.17.21

project-a/node_modules/.pnpm/
  lodash@4.17.21/
    node_modules/
      lodash/
        index.js  -->  ~/.pnpm-store/v3/files/ab/cdef1234... (hard link)

1-4. Publishing a Package to npm

Here is the step-by-step process for publishing your package to the npm registry.

Step 1: Create an Account and Log In

npm adduser
# or if you already have an account
npm login

Step 2: Initialize the Package

mkdir my-awesome-lib
cd my-awesome-lib
npm init

Step 3: Complete package.json

{
  "name": "my-awesome-lib",
  "version": "1.0.0",
  "description": "A library that does awesome things",
  "main": "dist/index.js",
  "types": "dist/index.d.ts",
  "files": ["dist"],
  "scripts": {
    "build": "tsc",
    "prepublishOnly": "npm run build"
  },
  "keywords": ["awesome", "utility"],
  "author": "Your Name",
  "license": "MIT",
  "repository": {
    "type": "git",
    "url": "https://github.com/yourname/my-awesome-lib"
  }
}

Step 4: Publish

# Verify the build
npm run build

# Preview before publishing (check which files are included)
npm pack --dry-run

# Actually publish
npm publish

# For scoped packages (public)
npm publish --access public

Step 5: Version Management

# Bump patch version (1.0.0 -> 1.0.1)
npm version patch

# Bump minor version (1.0.1 -> 1.1.0)
npm version minor

# Bump major version (1.1.0 -> 2.0.0)
npm version major

# Publish
npm publish

Part 2: uv Internals (Python)

2-1. What Is uv?

uv is an ultra-fast Python package manager and project management tool built in Rust by Astral. It replaces pip while delivering 10x to 100x faster performance.

The reasons uv is fast include:

Written in Rust: Compiled to a native binary with no Python interpreter overhead
Parallel downloads: Dependency resolution and downloads happen concurrently
Global cache: Packages downloaded once are reused across all projects
Optimized SAT solver: Efficiently resolves the dependency graph

# Install uv
curl -LsSf https://astral.sh/uv/install.sh | sh

# Create a project
uv init my-project
cd my-project

# Add dependencies
uv add requests flask

# Sync dependencies (based on lock file)
uv sync

2-2. pip vs uv vs poetry vs conda

Feature	pip	uv	poetry	conda
Language	Python	Rust	Python	Python/C
Dependency resolution	Backtracking	SAT solver	SAT solver	SAT solver
Lock file	None (manual freeze)	uv.lock	poetry.lock	environment.yml
Virtual env management	No (separate venv)	Yes (built-in)	Yes (built-in)	Yes (built-in)
Speed (cold install)	Slow (baseline)	10-100x faster	2-5x faster	Slow
Build system	setuptools	Self-resolving	Self-building	Self-building
Non-Python packages	No	No	No	Yes (numpy C libs, etc.)

Speed comparison (real benchmark):

# Installing requests + flask + sqlalchemy (cold cache)
pip install:    12.4s
poetry install:  8.1s
uv sync:         0.8s   # 15x faster

2-3. How uv Resolves Dependencies

uv uses a SAT solver based on the PubGrub algorithm. Here is the step-by-step process.

1. Build the Dependency Graph:

Starting from the project's direct dependencies, uv reads each package's metadata to construct the full transitive dependency graph.

2. Constraint Propagation:

Each package's version requirements are converted into constraints, which are propagated to narrow down the possible version space.

3. Unit Propagation:

When a variable has only one possible value remaining, that value is fixed and related constraints are updated.

4. Conflict-Driven Clause Learning (CDCL):

When a conflict occurs, uv analyzes its root cause and adds a "learned clause" to avoid repeating the same failure.

Example: A>=1.0 requires B>=2.0, but C<1.5 requires B<2.0
  -> Conflict detected
  -> Learned: A>=1.0 AND C<1.5 cannot hold simultaneously
  -> Backtrack and try different versions

2-4. Publishing a Package to PyPI

Here is the modern approach to registering a Python package on PyPI (Python Package Index).

Step 1: Write pyproject.toml

[build-system]
requires = ["hatchling"]
build-backend = "hatchling.build"

[project]
name = "my-python-lib"
version = "1.0.0"
description = "A useful Python library"
readme = "README.md"
requires-python = ">=3.9"
license = "MIT"
authors = [
    { name = "Your Name", email = "you@example.com" }
]
dependencies = [
    "requests>=2.28.0",
    "pydantic>=2.0",
]

[project.urls]
Homepage = "https://github.com/yourname/my-python-lib"
Documentation = "https://my-python-lib.readthedocs.io"

[project.optional-dependencies]
dev = ["pytest", "ruff", "mypy"]

Step 2: Build

# Install build tools
uv add --dev build

# Run the build
python -m build

# .whl and .tar.gz files are created in the dist/ directory
ls dist/
# my_python_lib-1.0.0-py3-none-any.whl
# my_python_lib-1.0.0.tar.gz

Step 3: Test on TestPyPI

# Install twine
uv add --dev twine

# Upload to TestPyPI
python -m twine upload --repository testpypi dist/*

# Test installation
pip install --index-url https://test.pypi.org/simple/ my-python-lib

Step 4: Publish to PyPI

# Upload to PyPI
python -m twine upload dist/*

# Now anyone can install it
pip install my-python-lib
# or
uv add my-python-lib

Trusted Publisher Setup (GitHub Actions):

name: Publish to PyPI
on:
  release:
    types: [published]

jobs:
  publish:
    runs-on: ubuntu-latest
    permissions:
      id-token: write
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-python@v5
        with:
          python-version: "3.12"
      - run: pip install build
      - run: python -m build
      - uses: pypa/gh-action-pypi-publish@release/v1

This approach lets you publish to PyPI without API tokens, using GitHub OIDC tokens for authentication.

Part 3: RPM (Red Hat / CentOS / Rocky Linux)

3-1. What Is RPM?

RPM (Red Hat Package Manager) is the package management system for Red Hat-based Linux distributions. Its core components are as follows.

RPM Files: Binary package files with the .rpm extension. They contain compiled programs, configuration files, documentation, and install/uninstall scripts.

RPM Database: Located at /var/lib/rpm, it tracks information about all installed packages.

yum / dnf: Higher-level tools that solve RPM's dependency resolution problem. RPM can only install individual packages, but dnf automatically resolves dependencies and downloads packages from remote repositories.

# Direct RPM usage (no automatic dependency resolution)
rpm -ivh package-1.0.0-1.el9.x86_64.rpm

# Using dnf (automatic dependency resolution)
dnf install nginx

# Query package info
rpm -qi nginx

# List files in a package
rpm -ql nginx

Spec Files: Recipe files for building RPM packages. They define how to compile source code, which files to install where, and what dependencies are needed.

3-2. Building an RPM Package

Step 1: Prepare the Build Environment

# Install build tools
dnf install rpm-build rpmdevtools

# Create the build directory structure
rpmdev-setuptree

# The resulting structure:
# ~/rpmbuild/
#   BUILD/      - where builds are performed
#   RPMS/       - built RPM files
#   SOURCES/    - source tarballs
#   SPECS/      - spec files
#   SRPMS/      - source RPM files

Step 2: Write a Spec File

Name:           myapp
Version:        1.0.0
Release:        1%{?dist}
Summary:        My awesome application

License:        MIT
URL:            https://github.com/yourname/myapp
Source0:        %{name}-%{version}.tar.gz

BuildRequires:  gcc
BuildRequires:  make
Requires:       openssl-libs

%description
MyApp is an awesome application that does useful things.
It supports multiple platforms and is easy to configure.

%prep
%autosetup

%build
%configure
%make_build

%install
%make_install

%files
%license LICENSE
%doc README.md
%{_bindir}/myapp
%{_mandir}/man1/myapp.1*
%config(noreplace) %{_sysconfdir}/myapp.conf

%changelog
* Sat Apr 12 2026 Your Name <you@example.com> - 1.0.0-1
- Initial package

Step 3: Build

# Copy source tarball to SOURCES
cp myapp-1.0.0.tar.gz ~/rpmbuild/SOURCES/

# Build RPM (-ba: both binary and source RPM)
rpmbuild -ba ~/rpmbuild/SPECS/myapp.spec

# Check the built RPM
ls ~/rpmbuild/RPMS/x86_64/
# myapp-1.0.0-1.el9.x86_64.rpm

Step 4: Create a Local Repository

# Install createrepo
dnf install createrepo_c

# Create the repo directory
mkdir -p /var/www/html/myrepo/

# Copy RPMs
cp ~/rpmbuild/RPMS/x86_64/myapp-*.rpm /var/www/html/myrepo/

# Generate repo metadata
createrepo /var/www/html/myrepo/

# /etc/yum.repos.d/myrepo.repo
[myrepo]
name=My Custom Repository
baseurl=http://myserver.example.com/myrepo/
enabled=1
gpgcheck=0

3-3. DEB vs RPM Comparison

Feature	RPM (Red Hat family)	DEB (Debian family)
Distributions	RHEL, CentOS, Rocky, Fedora	Debian, Ubuntu, Mint
Package format	.rpm	.deb
Low-level tool	rpm	dpkg
High-level tool	yum / dnf	apt / apt-get
Package definition	spec file	debian/ directory (control, rules, etc.)
Build tool	rpmbuild	dpkg-buildpackage
Repo creation	createrepo	apt-ftparchive / reprepro
Script stages	pre/post install/uninstall	preinst/postinst/prerm/postrm
Signing	GPG	GPG (apt-key)

The key difference lies in design philosophy. RPM's spec file puts everything in one file, while DEB's debian/ directory separates concerns into different files by role.

Part 4: Homebrew (macOS / Linux)

4-1. How Homebrew Works

Homebrew is the unofficial package manager for macOS (and Linux). Here are the core concepts.

Formula: A Ruby script that defines how to install a package. It includes the source URL, build options, dependencies, and installation steps.

Tap: A Git repository that contains a collection of Formulae. The default Tap is homebrew-core, and anyone can create their own Tap.

Cellar: The location where packages are actually installed. On macOS, this is /opt/homebrew/Cellar/ (Apple Silicon) or /usr/local/Cellar/ (Intel).

Keg-only: A package installed in the Cellar but not symlinked into PATH. This prevents conflicts when the system already has the same program. A classic example is openssl.

# Install a package
brew install wget

# Check the install path
brew --prefix wget
# /opt/homebrew/opt/wget

# Cellar internal structure
ls /opt/homebrew/Cellar/wget/1.21.4/
# bin/  etc/  share/

# Force-link a keg-only package
brew link --force openssl@3

Bottle: A pre-compiled binary package. Downloading a Bottle instead of building from source dramatically speeds up installation. Most official Formulae provide Bottles for both macOS and Linux.

4-2. Registering Software with Homebrew

There are three ways to register software with Homebrew.

Method 1: Create a Personal Tap

The simplest method with the fewest restrictions.

Step 1: Create a GitHub Repository

Create a repository named homebrew-mytap. Homebrew recognizes the homebrew- prefix as a Tap name.

Step 2: Write a Formula

# Formula/myapp.rb
class Myapp < Formula
  desc "My awesome command-line application"
  homepage "https://github.com/yourname/myapp"
  url "https://github.com/yourname/myapp/archive/refs/tags/v1.0.0.tar.gz"
  sha256 "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855"
  license "MIT"

  depends_on "go" => :build

  def install
    system "go", "build", *std_go_args(ldflags: "-s -w -X main.version=#{version}")
  end

  test do
    assert_match "myapp version #{version}", shell_output("#{bin}/myapp --version")
  end
end

Step 3: Use It

# Add the Tap
brew tap yourname/mytap

# Install
brew install yourname/mytap/myapp

# Or, after adding the Tap, install directly
brew install myapp

Method 2: Submit a PR to homebrew-core

Getting included in the official Homebrew requires meeting strict criteria.

Requirements:

At least 30 GitHub stars (or a substantial user base)
Stable release tags
An open-source license
Automated builds via CI/CD
Must build on both macOS and Linux

# Clone homebrew-core and add a Formula
brew tap --force homebrew/core
cd $(brew --repository homebrew/core)

# Formula creation helper
brew create https://github.com/yourname/myapp/archive/refs/tags/v1.0.0.tar.gz

# Validate the Formula
brew audit --new myapp
brew test myapp

# Submit PR (GitHub CLI)
gh pr create --title "myapp 1.0.0 (new formula)" --body "Description of the tool..."

Method 3: Cask (GUI Applications)

Used for distributing macOS GUI applications in .app, .dmg, or .pkg format.

# Casks/myguiapp.rb
cask "myguiapp" do
  version "2.1.0"
  sha256 "abc123def456..."

  url "https://github.com/yourname/myguiapp/releases/download/v#{version}/MyGuiApp-#{version}.dmg"
  name "MyGuiApp"
  desc "A beautiful GUI application"
  homepage "https://myguiapp.example.com"

  app "MyGuiApp.app"

  zap trash: [
    "~/Library/Application Support/MyGuiApp",
    "~/Library/Preferences/com.yourname.myguiapp.plist",
  ]
end

# Install a Cask
brew install --cask myguiapp

4-3. Formula Authoring in Detail

Homebrew Formulae are written in a Ruby DSL. Here are the key components.

class ComplexApp < Formula
  desc "A complex application with many build options"
  homepage "https://complexapp.dev"

  # Stable version source
  url "https://github.com/yourname/complexapp/archive/refs/tags/v2.0.0.tar.gz"
  sha256 "deadbeef..."

  # HEAD version (in development)
  head "https://github.com/yourname/complexapp.git", branch: "main"

  license "Apache-2.0"

  # Build dependencies
  depends_on "cmake" => :build
  depends_on "pkg-config" => :build

  # Runtime dependencies
  depends_on "openssl@3"
  depends_on "sqlite"

  # Platform restriction
  depends_on :macos

  def install
    args = %W[
      --prefix=#{prefix}
      --with-openssl=#{Formula["openssl@3"].opt_prefix}
      --with-sqlite=#{Formula["sqlite"].opt_prefix}
    ]

    system "./configure", *args
    system "make", "install"

    # Install shell completions
    bash_completion.install "completions/complexapp.bash"
    zsh_completion.install "completions/_complexapp"
    fish_completion.install "completions/complexapp.fish"
  end

  # Post-install message
  def caveats
    <<~EOS
      To start complexapp as a service:
        brew services start complexapp
    EOS
  end

  # Installation verification test
  test do
    assert_match version.to_s, shell_output("#{bin}/complexapp --version")
    system "#{bin}/complexapp", "check"
  end
end

Key Formula DSL Methods:

Method	Purpose	Example
`url`	Source download URL	`url "https://..."`
`sha256`	Integrity verification hash	`sha256 "abc..."`
`depends_on`	Dependency declaration	`depends_on "openssl@3"`
`install`	Build and install steps	`system "make", "install"`
`test`	Installation verification	`assert_match ...`
`prefix`	Base install path	`/opt/homebrew/Cellar/app/1.0`
`bin`	Executable path	`prefix/"bin"`
`etc`	Config file path	`prefix/"etc"`
`share`	Shared data path	`prefix/"share"`

Part 5: The Grand Comparison

5-1. Comprehensive Comparison Matrix

Feature	npm	PyPI (uv/pip)	RPM (dnf)	Homebrew	APT (deb)	snap	flatpak
Target	Node.js libraries	Python libraries	System packages	CLI/GUI apps	System packages	Desktop apps	Desktop apps
Platform	Cross-platform	Cross-platform	RHEL family	macOS/Linux	Debian family	Linux	Linux
Registry	npmjs.com	pypi.org	Vendor repos	homebrew-core	Vendor repos	snapcraft.io	flathub.org
Isolation	node_modules	virtualenv	None (system-wide)	Cellar + symlinks	None (system-wide)	Sandbox	Sandbox
Dep resolution	semver ranges	SAT solver	libsolv (SAT)	Built-in	APT solver	Self-managed	Runtime sharing
Auto-update	No	No	dnf-automatic	brew upgrade	unattended-upgrades	snapd (auto)	No
Security signing	npm signatures	GPG/Sigstore	GPG	Code signing (Cask)	GPG	Snap Store signing	Flathub signing
Size concern	None	None	None	None	None	Large (bundled)	Large (runtime)

5-2. Which Package Manager Should You Use?

To distribute a JavaScript/TypeScript library: Use npm or GitHub Packages.

To distribute a Python library: Register on PyPI and let users install with uv or pip.

To distribute system-level packages for Linux servers: Build RPM packages (for RHEL family) or DEB packages (for Debian family).

To distribute a CLI tool for macOS: Write a Homebrew Formula and publish it in a personal Tap or submit a PR to homebrew-core.

To distribute a cross-platform desktop application: Consider snap or flatpak. snap has built-in auto-updates, while flatpak offers a more open ecosystem.

Conclusion

Package managers are far more than simple installation tools. They solve the NP-complete problem of dependency resolution in practical ways, safely distribute millions of packages, and serve as the circulatory system of the developer ecosystem.

Understanding the internals of each package manager helps you resolve dependency conflicts faster, manage caches more efficiently, and makes the process of distributing your own software much smoother.

Try registering your project on npm, PyPI, Homebrew, or RPM. The best way to experience how a package manager works is to build and publish a package yourself.

References

npm Official Docs: https://docs.npmjs.com/
uv Official Docs: https://docs.astral.sh/uv/
RPM Packaging Guide: https://rpm-packaging-guide.github.io/
Homebrew Formula Cookbook: https://docs.brew.sh/Formula-Cookbook
PyPI Publishing Guide: https://packaging.python.org/
PubGrub Algorithm: https://nex3.medium.com/pubgrub-2fb6470504f
pnpm Official Docs: https://pnpm.io/