Package Managers à la Carte: A Formal Model of Dependency Resolution
This work provides a theoretical foundation for unifying dependency resolution across diverse package ecosystems, addressing fragmentation in multilingual projects.
The authors formalize dependency resolution across package managers with the Package Calculus, unifying core semantics to enable cross-ecosystem tooling and supply-chain analysis.
Package managers are legion. Every programming language and operating system has its own solution, each with subtly different semantics for dependency resolution. This fragmentation prevents multilingual projects from expressing precise dependencies across language ecosystems; it leaves external system dependencies implicit and unversioned; and it obscures the full dependency graph that supply-chain analysis depends on. We present the Package Calculus, a formalism for dependency resolution that unifies the core semantics of package managers. Through a series of formal reductions, we show how this core is expressive enough to model the diversity of real-world dependency expression languages. The calculus provides the theoretical foundation for future cross-ecosystem tooling, as a lingua franca of dependency expression.