Please use Packdeps!

December 1, 2011

GravatarBy Michael Snoyman

This blog post is an explanation of what the packdeps site is, why it's useful, and how to use it most effectively. The tl;dr is: if anyone is using your packages on Hackage, please start using this site.

I originally created packdeps after getting lots of emails about my packages having outdated dependencies. As a religious follower of the PVP (I've since reformed a bit), my packages always had upper bounds on every package. This means that, if a new version is released, my package will refuse to work with it until I update it.

This is great in theory, as it means your code will never accidently break when someone releases a new package. But there is also a downside: Cabal dependency hell. Due to various issues I won't rehash here, if you depend on a package that relies on older versions of another package, Cabal will sometimes not be able to help you.

We have tools to try and get around Cabal dependency hell (like our recently-released cabal-src), but better yet is nipping the problem in the bud, and keeping all packages up-to-date. That's where packdeps comes in.

The site is very simple. You simply give it a search string, and it scours all of Hackage to find packages containing the string in the author or name fields. Once it finds those packages, it determines if there are any "restrictive upper bounds" on them. For example, if my "foo" package depends on "bar == 1.1.*", and Hackage has bar-1.2, packdeps will flag it.

I find it most convenient to perform a search on my name, that way I get all of the packages I work on in a single screen. For example, here is a list of my outdated packages (hopefully blank right now).

Now for a few less-than-obvious features:

  • If you add the string "(deprecated)" to a synopsis field, packdeps will ignore it.
  • If you want to see if any of your ancestor dependencies (i.e., recursive dependencies) have out-of-date dependencies, click on the relevant link on that first page, e.g.
  • You can get an RSS feed of this information. This is what I highly recommend everyone do, so you get an alert when a package is out-of-date.

In addition, packdeps provides a reverse dependency list, but that is really a separate feature, and fairly self-explanatory.

I'm beginning to think we need to re-examine the PVP and its cost/benefit ratio, but that's a discussion for another time. But if you're planning on releasing packages to Hackage that have upper bounds, please use packdeps to help us avoid Cabal dependency hell.


comments powered by Disqus