Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Open Source Programming Stats

Node.js's npm Is Now The Largest Package Registry in the World (linux.com) 133

Linux.com highlights some interesting statistics about npm, the package manager for Node.js.
  • "At over 350,000 packages, the npm registry contains more than double the next most populated package registry (which is the Apache Maven repository). In fact, it is currently the largest package registry in the world."
  • In the preceding four weeks, users installed 18 billion packages.
  • This translates into 6 billion downloads, "because approximately 66 percent of the installs are now being served from the cache."
  • ping.npmjs.com "shows that the registry's services offer a 99.999 uptime."
  • Every week roughly 160 people publish their first package in the registry

But what about the incident last year where a developer suddenly pulled all their modules and broke thousands of dependent projects? npm's Ashley Williams "admitted that the left-pad debacle happened because of naive policies at npm. Since, the npm team have devised new policies, the main one being that you are only allowed to unpublish a package within 24 hours of publishing it." And their new dissociate and deprecate policy allows developers to mark packages as "unmaintained" without erasing them from the registry.


This discussion has been archived. No new comments can be posted.

Node.js's npm Is Now The Largest Package Registry in the World

Comments Filter:
  • by Anonymous Coward on Saturday January 14, 2017 @10:39AM (#53667209)

    Packages on npm still aren't signed - something that Java repository servers have had since inception.

    Might as well just open up your firewalls and let the hackers inject whatever code they want.

    Broken by design!

    Captcha: "amateurs"

  • by Anonymous Coward on Saturday January 14, 2017 @10:40AM (#53667219)

    When you get such trivialities as left pad in the registry, why should anyone care that the raw number of packages is large?

    Quick everybody: how do you write "hello world" in javascript?

    npm install hello-world

    • Re: (Score:3, Insightful)

      by Anonymous Coward

      That hello-world package will bring at least a dozen packages, such as Encyclopedia Britannica which is used to get the two words and some QT and XML libraries which are needed to dump the output string into stdout.

      • Don't forget that it's somehow recursive. The Encyclopedia Britannica will call an old version of hello-world. Which will then call an older version of EB.

        Then you come back to your npm install and wonder why the directory is 50 GB.

    • by Anonymous Coward

      A huge problem with JavaScript, compared to other languages, is that its standard library is totally lacking, even after 20 years of existence.

      A lot of common library functionality that Java, C#, Perl, Ruby, Python, Tcl, Go and even C++ include by default just aren't present when using JavaScript. Or worse, if JavaScript does include some functionality it's often really shitty, sometimes to the point of being unusable.

      So if you're using JavaScript you pretty much have no choice but to start using external p

      • by Anonymous Coward

        What nonsense. People programming in any language often use a ton of libraries that are not "standard". From XML parsers to game engines and GUI systems.

        Arguably, looking at the crap that is standardized in C/C++, Java, perhaps it's better JS does not have so much baked in.

        • by Anonymous Coward

          People programming in any language often use a ton of libraries that are not "standard".

          Obviously. Did you even read the GP comment? It doesn't claim that third party libraries don't exist for non-JS languages, or that they aren't used. Of course they exist and of course they're used. But they're typically not mandatory even for the smallest applications, unlike when using JS.

          From XML parsers to game engines and GUI systems.

          This is a good example of what the GP is talking about, and what you clearly did not

      • Most frameworks like Extjs and jQuery reimplement most of the js built-in functions. (Calling js a library would be too generous.) Either because runtimes implement them inconsistently (node, phantom and browsers) or because the functions themselves are shitty.

      • by allo ( 1728082 )

        There are a lot of "standard libraries". Decide for one. And then use it. From a single team. Reading their homepage, maybe watching the development, occasionally checking the implementations of things. But ONE BIG LIBRARY, not millions of tiny packages from a lot of different programmers you never heard of.

        • You mean like Angular 2 [hackernoon.com]?

          • by allo ( 1728082 )

            i don't really know angular, but mayit it is such a library? I heard its one of the trendy things nowadays. I am using more traditional frameworks as jquery and vanilla javascript & brain 1.0.

            • by Anonymous Coward

              GP meant for you to see this in the link:

              after an hour and a half of wrangling with Angular 2 and its plethora of dependencies

              To show that many of the newer "frameworks" for javascript are built using npm and a variety of coddled-together third party libraries.

              It's like we're all building sandcastles on the beach and showing them off to each other.

              • by allo ( 1728082 )

                Ah, okay.
                I mostly avoid server side js and write client side js with as little libraries as possible. And as little script as possible. Let's be honest, devs love javascript, but users hate it. They do not know, they hate it. They just hate bloated websites, not knowing the actual problem.

      • A huge problem with JavaScript, compared to other languages, is that its standard library is totally lacking, even after 20 years of existence.

        A lot of common library functionality that Java, C#, Perl, Ruby, Python, Tcl, Go and even C++ include by default just aren't present when using JavaScript. Or worse, if JavaScript does include some functionality it's often really shitty, sometimes to the point of being unusable.

        could you cite some examples? It would be interesting to know more on this.

        So if you're using JavaScript you pretty much have no choice but to start using external packages almost right away. That's why npm has become so widely used: it's because JavaScript itself is so goddamn lacking in the most basic of ways.

        I think it depends on the developer, to be fair. You could install Ruby gems like crazy if you were that way inclined. Also, you have to bear in mind that JavaScript developers don't have total control over their runtime (on the client), so you get a lot of polyfill type packages to, as you say, start right away.

        Npm is basically a bandage that you have to apply to JavaScript to make it even barely usable. And you have to apply it for pretty much each and every project written in JavaScript.

        OK, but, NPM is just a package manager. In other languages, you get the package manager as part of the language itself and

    • by Anonymous Coward

      I also love the fact when you install Hello World it installs the other 349,999 packages to make it work.

    • > When you get such trivialities as left pad in the registry, why should anyone care that the raw number of packages is large?

      So you're saying node.js developers have small packages?

  • left-pad (Score:3, Insightful)

    by Anonymous Coward on Saturday January 14, 2017 @10:42AM (#53667239)

    I think the debacle really just opened up a lot of eyes as to when it's appropriate to start npm installing a bunch of crap instead of writing your own code.

    There's a fetish for modules in the JavaScript world that defies reason.

    "What? Use the built-in keyword "function" for defining functions? Heavens no you fool, we install Sindre Sore-Ass's woopee-unicorn-function-creator package!

    It's cancer all the way down on NPM.

    • by allo ( 1728082 )

      don't you dare to use "function foo()". You need to use "var foo=function()"!!!

  • by Anonymous Coward

    There's no choice on the client, but why do people put up with all of Javascript's many rough edges and missing features when there is a universe of more appropriate server-side languages?

    • Cause with Javascript, the user computes all the stuff and pays the electricity. Serverside drives up costs. Amazon wants payment for every single cycle they compute on your behalf.

      • Or you can just have the user download a compiled program and the client pays for the electricity for running it without the penalties involved with javascript. You know, like we used to do before everything had to be done on the server so as to serve you better (for any definition of "better" that includes ads and spying on everything you do).
    • No it's not (Score:5, Interesting)

      by lucm ( 889690 ) on Saturday January 14, 2017 @11:06AM (#53667373)

      The amount of code needed to write a web application using Node.js is tiny compared to even PHP, which itself requires a lot less code than java or others. Performance is excellent, especially if you combine it with a web server for static content (like you would do with most web technologies).

      Even without using frameworks (like Express), Nodejs is a technology that is well-suited for web applications. There is a learning curve because of the asynchronous paradigm (which can be mitigated if one uses promises) but overall the language is decent and favors good practices, such as MVC or code reuse. In the age of the API this is a fantastic platform to quickly put together a REST architecture.

      Also, don't bash Nodejs for server-side code. Because of the self-contained nature of npm it can prove quite convenient for all kinds of applications and utilities, not just web applications. Whenever I need a quick script that involves database access or interacting with web services, I no longer use bash and tools like curl or wget, I get what I need a lot faster with Nodejs. There are so many excellent packages on npm it's just a no-brainer.

      • Why can't you use nginx or something else to handle your async calls rather than write your own crappy one in JavaScript? I see no point of reinventing threading and other things when technology exists that do that for you so you can focus on other things.

        • by lucm ( 889690 )

          Why can't you use nginx or something else to handle your async calls rather than write your own crappy one in JavaScript? I see no point of reinventing threading and other things when technology exists that do that for you so you can focus on other things.

          nginx is a web server. How exactly would you use it to "handle async calls" in a script? And in what way is JavaScript reinventing threading - it's single-threaded!

          A typical JavaScript app is "async" in the sense that by using callbacks you escape from the rigid top-down execution of the lines of code, allowing you to build your workflow around events without having to interact with operating system level concepts like threads or processes. This is great because if two parts of your script must interact wit

          • I'm not the person you replied to, but ...

            > And in what way is JavaScript reinventing threading - it's single-threaded!

            As you know, a generic single-core cpu is also single-threaded. (Max 16 threads with 8 core cpu and hyperthreading). The operating system simulates running many threads at once. It's actually only running one thread at a time, switching between the two, below that level it's actually single-threaded (or has just a few cpu threads).

            JavaScript / Emacscript does something similar - simulat

            • by leptons ( 891340 )
              JScript.NET is basically Javascript, and it also works with strong typing, and threads. It's been around for more than a decade. Microsoft doesn't really support it, but JSC is a javascript compiler that can create .exe's and .dll's out of javascript, and it is still included with .NET and is on every windows computer with .NET installed.
    • by Anonymous Coward

      Performance

      No other language has ever benefited from the chaotic race by browser vendors dropping hundreds of millions of dollars into optimization. Because of advanced tracing JITs and things like opportunistic compiling etc, JavaScript is by far the fastest language next to C and Assembler and often can crush C on things like memory access which can benefit greatly from being optimized for the local processor.

      With more and more compilers being written with JavaScript as the backend target, the excitement

  • by thygate ( 1590197 ) on Saturday January 14, 2017 @10:51AM (#53667293)
    Ash ? Guess jacksonville got boring after a while eh ..
  • Yeah...
  • by ooloorie ( 4394035 ) on Saturday January 14, 2017 @11:02AM (#53667345)

    At over 350,000 packages, the npm registry contains more than double the next most populated package registry

    There is such a thing as "too big" for package repositories: at some point, the benefit of being able to find packages for obscure uses is outweighed by the cost of having to sift through endless lists of redundant packages, the incompatibilities arising from many people using incompatible frameworks, and the inability to tell easily whether a given package works well. In JavaScript, that's compounded by the extremely loose type system and error checking.

    • And of course there's got to be some significant code duplication in all that mess ...
    • The tyranny of choice. Even with Maven, trying to find the right package to use can be a pain. Want to find a generic serializer that works better than the built-in serializer? That will be half a day of searching, testing and validating (for anybody who cares, I chose fst). Fewer libraries of better quality make more sense. In Java, you have libs such as the Apache Commons and Google Guava libraries that cover a huge swath of functions, which I suspect in node.js is covered by tens of thousands of pac

      • Fewer libraries of better quality make more sense.

        One way to achieve this is through stricter languages. Maybe limiting oneself to TypeScript modules is a good start?

  • I'm really confused about node.js. Can anyone give me an example of something that they used it for that would have been a lot harder or wouldn't work as well as a traditional web framework? I guess what I'm trying to ask is, if someone is already comfortable with a framework is there reason to experiment with node.js?
    • by slazzy ( 864185 )
      When developing for the front-end, you only have one option in the browser, JavaScript (besides languages which compile down to JavaScript). A lot of developers like using nodejs so they can use the same language on the backend as on the front. Personally I prefer Python on the backend, but I've started using nodejs as it makes things easier to only use one language.
      • Are you talking technically easier or mentally easier? I do front end Javascript and back end Python, and I've found they can communicate quite well using get/post or json. But perhaps the communication is more efficient somehow with node.js, is there a method of passing data that presents it self without using those protocols? I develop Android/iOS as well so maybe I have just gotten used to thinking in different languages over the years and don't really notice it any more.
      • by Santana ( 103744 )

        I want to emphasize the existence of alternatives to JavaScript, as you mention, which means that JavaScript is not your only option.

        There's a very long list of languages that you can use instead. You can even use Smalltalk:

        https://github.com/jashkenas/c... [github.com]

  • ... were even engaged.

  • made by amateur 17 years olds....
  • That's scary (Score:4, Interesting)

    by Snotnose ( 212196 ) on Saturday January 14, 2017 @11:25AM (#53667479)
    Scary so many people are using what is arguably one of the worst languages ever created.
  • Wow, the NSA has been busy writing code!

  • What would be telling (especially in light on left-pad) about npm, JS developers, and JS itself is how many of those packages are larger than a size that would be considered ridiculously small in another repository: 25 lines of code (which is being quite generous), measured the same way that left-pad becomes 11 lines.

  • by sciengin ( 4278027 ) on Saturday January 14, 2017 @11:33AM (#53667521)

    I cannot understand my fellow slashdoters that make fun of leftpad, node is useful for so many more things.
    For example just recently huge innovations were made within the node community and we are now proud to announce 1325 different variants of rightpad.
    Can C++ do this?
    Didn't think so!

  • The no .de movement must end. Germans have as much right to a domain on the internet as any other country has.
  • Can you really call 10-line code snippets... packages?
  • The best thing about npm is that it can re-create the Ruby experience where the first step of running some trivial app is to install 230 packages! It's a real language!

    And god help you if you actually decide to use the app for the long term, because in twelve months half its dependencies will no longer be maintained, and the other half will require updates after you do an OS upgrade, so you'll be in there debugging errors yourself. This will help train you for a 21st century job!

  • "This just in! NPM's record on packages has been broken by an 'EmeraldBot' from Slashdot, who now hosts the largest number of packages in the world, at 550,050 and growing. Each one represents a single byte of the compiled program leftpad++, and is soon expected to double in number with the introduction of rightpad++."

    On a more serious note, NPM's claim is dubious at best because they split programs up into so many packages, some only providing a single function. A WHOLE PACKAGE FOR A FUNCTION. That view

    • I don't bother importing those 10-20 line packages. I just copy the code chunk off the Github page, paste it into my stuff, and tell my boss that I wrote it.
  • There are many different uploads of jquery and every other popular library.
  • by allo ( 1728082 ) on Saturday January 14, 2017 @03:27PM (#53668541)

    Ever installed some nodejs stuff?
    You do "npm install" and watch an endless packagelist being downloaded. No, not to the central installation, but into the project. And they are like modules with 5 lines. See for example the "left-pad" thing. Yes, people include other programmers code for 5 lines of a function which you can create without even thinking about it. And they include such 5 line functions from hundereds of different people in their project. Not only one missing package can break millions of builds (see the left-pad example), but one malicious programmer can infect millions of production systems by issuing an update, which includes one malicious line, which loads some external script he will be able to change on demand. Because who re-reads the code of the modules, if he even read it the first place, when adding it because the name and short description seemed to match the requirements.
    The node.js ecosystem is fucked up. Working, but still a working mess.

    • by Tchaik ( 21417 )

      Use `yarn install`, it at least fixes the way things are installed locally by having a single copy of the packages in use and hard links in the projects.

      • by allo ( 1728082 )

        I know, there are like tens of alternative package managers, trying to fix the mess. I guess each of them has its own flaws, which are of course fixed by the shiny new one created yesterday. It's still not convincing and the problem with thousands of tiny packages remains.

        And many "amateur" packages may not guarantee their function either. think of a left-pad, which pads with spaces. Now assume the original author may not wanted to pad it with the correct number of spaces, but pad it to reach a visible line

    • It's not just the modules themselves; npm is also horrible.

      For starters, npm is non-deterministic. Yep, you've read it right: you can install the same packages on two different machines, but if you do it in different order, you can end up with different dependency trees [npmjs.com]. And yes, despite what the npm maintainers say, it can result in different versions of packages [github.com] being installed for the same set of version constraints.

      Then there are major bugs [github.com] that have been open for over a year, and can be blocking (as in

  • One challenge I have with npm are the dead projects and the apparent inability to take over the dead project, even if your project has become the accepted source of truth in GitHub. The workaround is to create a new package, but that just adds to the confusion.

    It would be nice if there was a way for a project to either be flagged as possibly dead or require some other mechanism to red flag a project, either automated or via reporting.

    Maybe I am alone in this feeling?

  • You have to search through a ton of crap to find whats good.

If I'd known computer science was going to be like this, I'd never have given up being a rock 'n' roll star. -- G. Hirst

Working...