This post is about how is it live without a package manager in your development environment specially using languages like C/C++. I have worked with both setup with and without package manager. I must say use package manager whenever possible, give a genuine effort to have it. Programming languages like C/C++ don’t have default support of package manager. As C (1970s) and C++ (early 1980s) were widely adopted long before the concept of language-specific package managers emerged (late 1980s–1990s). As a result, developers typically managed libraries manually.
The first C++ package manager designed specifically for the language was biicode, introduced around 2013. Although it did not gain widespread adoption and was later discontinued, biicode marked the start of language-specific package management for C++. It paved the way for successors like Conan and Microsoft’s vcpkg (released in 2016), which are now widely used in practice.
What options are there without package manager
Manual Downloading and Including: You directly download external libraries or their source code and copy them into your project folder. You manage versions and updates by manually replacing or updating these files. This is simple but cumbersome for larger projects or when dependencies frequently change.
These methods require careful tracking and maintenance of your dependencies, more developer effort, and can lead to difficulties in scalability and reproducibility compared to using package managers. However, they remain common in C++ projects especially those with legacy code or specialized build requirements.
Another important consideration is identifying exactly which third-party components are in use and whether any known vulnerabilities or licensing issues are associated with them. This is typically accomplished by scanning the codebase to detect all third-party components present. Accurate detection is critical—if components are missed or incorrectly identified, this represents a risk, as key information regarding vulnerabilities and license compliance may be lost.
The quality of the results depends on how effectively the chosen tool performs this detection. One widely used tool in the market is Black Duck, which I am familiar with, though there may be others as well. In general, these tools scan the source code, generate unique signatures, and match these against databases of known third-party component source code to identify components and their relevant information.
Finally results are given and the fun starts. There are many hits in the result. Some of them are false positives. In my experience working with some SCA (Software Composition Analysis) tools I have seen roughly 30%-60% is false positive when package manager is not used. Manual intervention of handling these false positive is needed. There are also cases of false negative where you know some third party component is used although the scanner didn’t found it correctly or totally missed it.
As you can see this manual steps to check the results are time consuming lacking positive developer experience. There are some other SCA tools like Synk and Endor labs promising better results and experience, I have not tried them yet.
On the other hand, not all open-source software (OSS) components are available in C++ package managers like Conan or vcpkg. These package managers mainly focus on C++ libraries, but many OSS components are written in other languages or are simply not packaged for these ecosystems. As a result, manual effort is sometimes required when certain components are unavailable through these package managers.
It is easy to recommend switching to a package manager, but there are still some challenges that need to be addressed. Support and coverage for C++ package managers are improving over time—this was a consistent theme during my research on this topic. In my view, adopting a package manager offers clear benefits, especially for OSS components that are already available in these ecosystems. For those that are not, creating your own packages and publishing them internally is also a viable approach, although I have not personally tried this yet.
Last but not least if you can make use of package manager please do that it will make your and your colleageus life easy.