Node.js's npm Is Now The Largest Package Registry in the World

Linux.com highlights some interesting statistics about npm, the package manager for Node.js.

• "At over 350,000 packages, the npm registry contains more than double the next most populated package registry (which is the Apache Maven repository). In fact, it is currently the largest package registry in the world."
• In the preceding four weeks, users installed 18 billion packages.
• This translates into 6 billion downloads, "because approximately 66 percent of the installs are now being served from the cache."
• ping.npmjs.com "shows that the registry's services offer a 99.999 uptime."
• Every week roughly 160 people publish their first package in the registry

But what about the incident last year where a developer suddenly pulled all their modules and broke thousands of dependent projects? npm's Ashley Williams "admitted that the left-pad debacle happened because of naive policies at npm. Since, the npm team have devised new policies, the main one being that you are only allowed to unpublish a package within 24 hours of publishing it." And their new dissociate and deprecate policy allows developers to mark packages as "unmaintained" without erasing them from the registry.

Packages still aren't signed

[Anonymous Coward]

Packages on npm still aren't signed - something that Java repository servers have had since inception.

Might as well just open up your firewalls and let the hackers inject whatever code they want.

Broken by design!

Captcha: "amateurs"

Re:

[cryptizard]

Doesn't the repo use TLS? What type of attack scenario are you referring to?

Re:

[Desler]

What does TLS have to do with code signing?

Re: Packages still aren't signed

[Anonymous Coward]

They're both things that JavaScript programmers don't/can't comprehend.

Re:

[Desler]

And if you want a real-world example as a scenario it would be here: https://forums.unrealircd.org/... [unrealircd.org]

Re: Packages still aren't signed

[MachineShedFred]

So you can securely download a pre-compromised package. Wonderful.

He's talking about cryptographic integrity checking of the package, not some kind of packet injection during the download. For example, the use of GPG signatures for apt repositories.

Re:

[cryptizard]

I don't see how signing prevents that. NPM is not a bunch of third-party mirrors, it is one central repository. If someone hacks NPM then they would also presumably have access to the key they use to sign packages so it wouldn't matter. You either trust NPM, in which case TLS is enough, or you don't in which case why are you using their repo?

How many *useful* packages?

[Anonymous Coward]

When you get such trivialities as left pad in the registry, why should anyone care that the raw number of packages is large?

Quick everybody: how do you write "hello world" in javascript?

npm install hello-world

Re:

[Anonymous Coward]

That hello-world package will bring at least a dozen packages, such as Encyclopedia Britannica which is used to get the two words and some QT and XML libraries which are needed to dump the output string into stdout.

Re:

[0100010001010011]

Don't forget that it's somehow recursive. The Encyclopedia Britannica will call an old version of hello-world. Which will then call an older version of EB.

Then you come back to your npm install and wonder why the directory is 50 GB.

No other option when using JavaScript.

[Anonymous Coward]

A huge problem with JavaScript, compared to other languages, is that its standard library is totally lacking, even after 20 years of existence.

A lot of common library functionality that Java, C#, Perl, Ruby, Python, Tcl, Go and even C++ include by default just aren't present when using JavaScript. Or worse, if JavaScript does include some functionality it's often really shitty, sometimes to the point of being unusable.

So if you're using JavaScript you pretty much have no choice but to start using external p

Re:

[Anonymous Coward]

What nonsense. People programming in any language often use a ton of libraries that are not "standard". From XML parsers to game engines and GUI systems.

Arguably, looking at the crap that is standardized in C/C++, Java, perhaps it's better JS does not have so much baked in.

Re:

[Anonymous Coward]

People programming in any language often use a ton of libraries that are not "standard".

Obviously. Did you even read the GP comment? It doesn't claim that third party libraries don't exist for non-JS languages, or that they aren't used. Of course they exist and of course they're used. But they're typically not mandatory even for the smallest applications, unlike when using JS.

From XML parsers to game engines and GUI systems.

This is a good example of what the GP is talking about, and what you clearly did not

Re: No other option when using JavaScript.

[nitehawk214]

Most frameworks like Extjs and jQuery reimplement most of the js built-in functions. (Calling js a library would be too generous.) Either because runtimes implement them inconsistently (node, phantom and browsers) or because the functions themselves are shitty.

Re:

[allo]

There are a lot of "standard libraries". Decide for one. And then use it. From a single team. Reading their homepage, maybe watching the development, occasionally checking the implementations of things. But ONE BIG LIBRARY, not millions of tiny packages from a lot of different programmers you never heard of.

Re:

[Curunir_wolf]

You mean like Angular 2 [hackernoon.com]?

Re:

[allo]

i don't really know angular, but mayit it is such a library? I heard its one of the trendy things nowadays. I am using more traditional frameworks as jquery and vanilla javascript & brain 1.0.

Re:

[Anonymous Coward]

GP meant for you to see this in the link:

after an hour and a half of wrangling with Angular 2 and its plethora of dependencies

To show that many of the newer "frameworks" for javascript are built using npm and a variety of coddled-together third party libraries.

It's like we're all building sandcastles on the beach and showing them off to each other.

Re:

[allo]

Ah, okay.
I mostly avoid server side js and write client side js with as little libraries as possible. And as little script as possible. Let's be honest, devs love javascript, but users hate it. They do not know, they hate it. They just hate bloated websites, not knowing the actual problem.

Re:

[Disco Hips]

A huge problem with JavaScript, compared to other languages, is that its standard library is totally lacking, even after 20 years of existence.

A lot of common library functionality that Java, C#, Perl, Ruby, Python, Tcl, Go and even C++ include by default just aren't present when using JavaScript. Or worse, if JavaScript does include some functionality it's often really shitty, sometimes to the point of being unusable.

could you cite some examples? It would be interesting to know more on this.

So if you're using JavaScript you pretty much have no choice but to start using external packages almost right away. That's why npm has become so widely used: it's because JavaScript itself is so goddamn lacking in the most basic of ways.

I think it depends on the developer, to be fair. You could install Ruby gems like crazy if you were that way inclined. Also, you have to bear in mind that JavaScript developers don't have total control over their runtime (on the client), so you get a lot of polyfill type packages to, as you say, start right away.

Npm is basically a bandage that you have to apply to JavaScript to make it even barely usable. And you have to apply it for pretty much each and every project written in JavaScript.

OK, but, NPM is just a package manager. In other languages, you get the package manager as part of the language itself and

Re:

[Anonymous Coward]

I also love the fact when you install Hello World it installs the other 349,999 packages to make it work.

You mean node.js devs have small packages

[raymorris]

> When you get such trivialities as left pad in the registry, why should anyone care that the raw number of packages is large?

So you're saying node.js developers have small packages?

Re:

[TheRaven64]

I agree that it's nice to have a large standard library that's decomposed in such a way that you can only pick the bits that you need, but a good standard library follows a common set of conventions and is designed in such a way that no individual parts conflict with others. NPM is not this: individual developers provide functionality using their own set of conventions and packages often conflict (made worse by JavaScript's lack of easy tools for encapsulation). As such, you may pick half a dozen useful f

left-pad

[Anonymous Coward]

I think the debacle really just opened up a lot of eyes as to when it's appropriate to start npm installing a bunch of crap instead of writing your own code.

There's a fetish for modules in the JavaScript world that defies reason.

"What? Use the built-in keyword "function" for defining functions? Heavens no you fool, we install Sindre Sore-Ass's woopee-unicorn-function-creator package!

It's cancer all the way down on NPM.

Re:

[allo]

don't you dare to use "function foo()". You need to use "var foo=function()"!!!

Re:

[leptons]

Nope. All the cool kids would write it as "const foo = ( ) =>;

Ugh, this is the worst part of "the new javascript", ES6. People don't even know what 'const' is for and they misuse it everywhere.

That said, I love Javascript and have been working with it for 20 years, so I can say with confidence that the haters here are mostly ridiculous and lack understanding of javascript and why it works the way it does.

Re:

[allo]

Javascript is usable and okay for client side scripting, but the "why it works the way it does" isn't reasonable in many many cases. You get used to it, you can work with it and it's not too hard to remember the WTFs, but they are there. Seems the WtfJS page is down, but there are many interesting things in js, like weird truth tables and so on. Somebody even proved, that you can convert any script in a series of special characters like [](); without any letter a-z to avoid detection when trying xss.

Re:

[Curunir_wolf]

I'll stick with Microsoft's Nuget Package Manager for all my development needs, thanks.

Yea, as much as I hated that whole idea when it was first introduced, I've become a convert myself.

javascript is a client language

[Anonymous Coward]

There's no choice on the client, but why do people put up with all of Javascript's many rough edges and missing features when there is a universe of more appropriate server-side languages?

Re:

[klingens]

Cause with Javascript, the user computes all the stuff and pays the electricity. Serverside drives up costs. Amazon wants payment for every single cycle they compute on your behalf.

Re:

[BarbaraHudson]

Or you can just have the user download a compiled program and the client pays for the electricity for running it without the penalties involved with javascript. You know, like we used to do before everything had to be done on the server so as to serve you better (for any definition of "better" that includes ads and spying on everything you do).

Re: javascript is a client language

[nitehawk214]

And I don't want to download a potentially horribly insecure app to view content that is better and more securely viewed in a browser.

And considering how insecure browsers can be, this is saying something profound

Re:

[epyT-R]

Secure? Browser? hahaha, surely thou jest..

Re:

[BarbaraHudson]

How many web sites also monitor your key strokes, mouse movements, and everywhere else you go? An ordinary application that doesn't require connection to the internet isn't going to spy on you and monetize you as aggressively - or if it does, it will be called malware or spyware, not Facebook.

Re:

[nitehawk214]

Oh I have never wondered why, I know exactly why. And it isn't their stated reason of "so you can share articles with your contacts". That lame reason is so transparent it isn't even funny.

Re:

[AuMatar]

It has to do with barriers to entry. In the old days, the most ignorant were the BASIC programmers. Because the compiler was cheap/free, it was the easiest one to start on. So you had more half trained people using that than anywhere else.

In the web days, Javascript became even easier than BASIC- no tools needed but notepad and the browser. No need to compile your app, just hit refresh. And immediately you had a complicated GUI output, not just a console app. So that's where everyone started learning

Re:Ignorance, mainly.

[lucm]

I've worked with a lot of programmers (or pseudo-programmers) over the years, and the ones who like JavaScript tend to be the most ignorant of them all.

I have worked (not just for hobbies) with C, C++, Pascal, Java, C#, the whole Visual Basic family, Perl, Python, PHP and JavaScript. I even worked with RPG and COBOL. Plus a whole bunch of shell scripting languages, from csh to PowerShell and even (OMG) JCL. On all the possible platforms you can think of, from smartphones all the way to Z series.

And guess what? I like JavaScript. I like how it started as a clunky way to make dynamic HTML menus to how it's now powering insanely high-volume websites. Is it the prettiest language? No. Does it handle dates properly? Jesus fucking christ no. Is it a marvel of software engineering? Is it a pure delight for the intellect like lisp, or an unbreakable workhorse like Ada? No. But IT WORKS. It does the job, quickly. In browsers, and even on mainframes (yes, Nodejs is supported on IBM mini and mainframes).

And it can be a gateway drug. Especially on the Nodejs platform JavaScript forces you to think of functions as more than a subroutine and this can be a terrific way to open your mind to the world of lambdas and closures - something that people who don't have a strong computer science or math background often struggle with.

True story. I had a coworker who just couldn't wrap his mind around callbacks and asynchronous execution. Which was a serious problem because at the time big data was becoming a thing and this meant map-reduce and all that. You know what finally made things "click" for him? jquery and ajax calls. Seriously. When he started to realize that he could pass a function as a parameter that would be executed after the ajax call came back, it blew its mind. Very quickly he jumped on the Nodejs bandwagon and he finally was able to work on data projects involving R and math-intensive Python code.

So there you go. Piss on JavaScript all you like, but don't try to use the "real programmers don't like JavaScript" because I'm a real programmer and I LOVE it. Maybe not my absolute favorite but definitely in my top 3.

Re:

[Santana]

You have tried so many programming languages and you don't know JavaScript is severely broken? Shame on you.

Let's look at your criteria for loving JavaScript:

IT WORKS
It does the job
It does it quickly
Works in browsers and mainframes.
Potential gateway drug

That's a very low demanding list of requirements.

Re:Node.js is terrible

[Billly Gates]

From the same guy who wrote the funny mongodb webscale argument is his take on Rockstar node.js arguments [youtu.be].

So you see nothing wrong with blobs of callback after callback with making your own threading and scheduling from scratch?

Wouldn't it make sense to use nginx for performance and let that and your OS do the threading instead?

Re:

[lucm]

So you see nothing wrong with blobs of callback after callback with making your own threading and scheduling from scratch?

Different problems are solved with different tools. If the problem to solve is answering as fast as possible a tsunami of lightweight requests (such as a typical web app), Nodejs is awesome. However if there are fewer, long-running requests that tap into heavier resources (such as crypto or image processing) then maybe it's best to consider alternatives.

But even if a web app is based on Nodejs, does that mean I would use it alone? Not at all; while Nodejs can do SSL and static content, I prefer to offload t

Re:

[Pseudonym]

So you see nothing wrong with blobs of callback after callback with making your own threading and scheduling from scratch?

JavaScript has been accused of many things, but "threading" isn't one of them.

I don't mind blobs of callback in principle. Continuation-passing style doesn't scare me at all (especially in a language like Scheme or Haskell). But I agree with you. The more I used Node.JS, the more I realised I really wanted Erlang.

Re:

[Billly Gates]

So you see nothing wrong with blobs of callback after callback with making your own threading and scheduling from scratch?

JavaScript has been accused of many things, but "threading" isn't one of them.

I don't mind blobs of callback in principle. Continuation-passing style doesn't scare me at all (especially in a language like Scheme or Haskell). But I agree with you. The more I used Node.JS, the more I realised I really wanted Erlang.

Yeah man. Erlang is the real rockstar language [youtube.com]

Re:

[Pseudonym]

Is it a pure delight for the intellect like lisp, or an unbreakable workhorse like Ada?

Pure it is not, but most don't know just how close JavaScript is to Scheme. We joke about:

var f = function() { }

because the syntax is clunky, but the semantics are extremely clean.

I guess this is the thing that most people don't realise: Whatever your first programming language is, there's a bunch of stuff that you have to unlearn when it comes time to use your second. It would be wonderful if everyone started off with Haskell, but until that day comes, JavaScript is one of the best choices for a first lang

It's a matter of context

[lucm]

You like JavaScript because it helped one of your bad developers? Are you a moron?

He's not a bad developer.

A bad developer is not someone with an imperfect knowledge of some aspects of software development. A bad developer is someone who can't see the big picture and can't deliver code that is fit for purpose in the specific context where that code is needed. From corporate drones who write code for legacy Oracle Forms applications to Chinese engineers who design on-screen menus for low-end plasma TV, from Wall Street mathletes writing micro-trading platforms to people who crank out heap

The one who accepted ten days for a maasive projec

[raymorris]

> I remember years ago we had this massive migration project ...
> after a week the deadline was looming
> Who was the bad developer in that story?

The one who said "yes, we can do this massive migration in a week or so."

Re:

[lucm]

The one who said "yes, we can do this massive migration in a week or so."

That would be someone in management.

That's the usual team work; the manager makes crazy promises and the underpaid techies deliver. And usually everyone is rewarded; the manager gets a fat bonus check, and the techies get free pizza and Red Bull for working all weekend. Win-win!

Re:

[balajeerc]

If you've never used a language with good support for OO (sorry, prototypes are a shitty hack, which is why more recent versions of JavaScript have actually started hacking in the idea of classes), you wouldn't know how awful JavaScript's is.

All of OO is a shitty hack.

Re:

[Pseudonym]

All of OO is a shitty hack.

I know what you're saying, but I dissent ever so slightly. Simula's object model is a shitty hack, and it shows in any language which uses it (C++, Java, C#, Python, etc).

There are a few nice object systems out there. See Smalltalk/Newspeak, O'Caml, Eiffel/Sather, and Haskell's type classes if you want to see what a principled object system looks like.

Re:

[balajeerc]

I know what you're saying too, but most often, when people say OO, they mean "inheritance", and primarily just that. That is all I am railing against.

Re:

[Pseudonym]

Yeah, when I say "OO", I usually have to follow it up with "Alan Kay coined the term, and he didn't mean what you mean".

Re:

[Chris Katko]

Translation:

>What the fuck did you just fucking say about me, you little bitch? I’ll have you know I graduated top of my class in the Programmer Seals, and I’ve been involved in numerous secret raids on Al-Quaeda, and I have over 300 confirmed kills. I am trained in [Algol to Java] and I’m the top [programmer] in the entire US armed forces. You are nothing to me but just another target. I will wipe you the fuck out with precision the likes of which has never been seen before on this Ear

No it's not

[lucm]

The amount of code needed to write a web application using Node.js is tiny compared to even PHP, which itself requires a lot less code than java or others. Performance is excellent, especially if you combine it with a web server for static content (like you would do with most web technologies).

Even without using frameworks (like Express), Nodejs is a technology that is well-suited for web applications. There is a learning curve because of the asynchronous paradigm (which can be mitigated if one uses promises) but overall the language is decent and favors good practices, such as MVC or code reuse. In the age of the API this is a fantastic platform to quickly put together a REST architecture.

Also, don't bash Nodejs for server-side code. Because of the self-contained nature of npm it can prove quite convenient for all kinds of applications and utilities, not just web applications. Whenever I need a quick script that involves database access or interacting with web services, I no longer use bash and tools like curl or wget, I get what I need a lot faster with Nodejs. There are so many excellent packages on npm it's just a no-brainer.

Re:

[leptons]

Slashdot is a laughing-stock and has been for quite some time. I just came here for the popcorn, and the expected salty commentary from the neckbeards about why Javascript is the worst programming language ever created. They are the ones that don't get it, and they are also the ones who are sliding into irrelevance.

Re:

[Billly Gates]

Why can't you use nginx or something else to handle your async calls rather than write your own crappy one in JavaScript? I see no point of reinventing threading and other things when technology exists that do that for you so you can focus on other things.

Re:

[lucm]

Why can't you use nginx or something else to handle your async calls rather than write your own crappy one in JavaScript? I see no point of reinventing threading and other things when technology exists that do that for you so you can focus on other things.

nginx is a web server. How exactly would you use it to "handle async calls" in a script? And in what way is JavaScript reinventing threading - it's single-threaded!

A typical JavaScript app is "async" in the sense that by using callbacks you escape from the rigid top-down execution of the lines of code, allowing you to build your workflow around events without having to interact with operating system level concepts like threads or processes. This is great because if two parts of your script must interact wit

Simulates (poorly) threading in one or two threads

[raymorris]

I'm not the person you replied to, but ...

> And in what way is JavaScript reinventing threading - it's single-threaded!

As you know, a generic single-core cpu is also single-threaded. (Max 16 threads with 8 core cpu and hyperthreading). The operating system simulates running many threads at once. It's actually only running one thread at a time, switching between the two, below that level it's actually single-threaded (or has just a few cpu threads).

JavaScript / Emacscript does something similar - simulat

Re:

[leptons]

JScript.NET is basically Javascript, and it also works with strong typing, and threads. It's been around for more than a decade. Microsoft doesn't really support it, but JSC is a javascript compiler that can create .exe's and .dll's out of javascript, and it is still included with .NET and is on every windows computer with .NET installed.

Re: javascript is a client language

[Anonymous Coward]

Performance

No other language has ever benefited from the chaotic race by browser vendors dropping hundreds of millions of dollars into optimization. Because of advanced tracing JITs and things like opportunistic compiling etc, JavaScript is by far the fastest language next to C and Assembler and often can crush C on things like memory access which can benefit greatly from being optimized for the local processor.

With more and more compilers being written with JavaScript as the backend target, the excitement

Re:

[leptons]

Performance

Node's amazing performance is why so many of the top internet websites use it. Sites like... um...

Walmart, E-bay, Paypal, Linkedin, Yahoo, Google, Netflix... yeah nobody big is using it /s

npm's Ashley Williams ..

[thygate]

Ash ? Guess jacksonville got boring after a while eh ..

Left justify

[ubeatha]

Yeah...

there is such a thing...

[ooloorie]

At over 350,000 packages, the npm registry contains more than double the next most populated package registry

There is such a thing as "too big" for package repositories: at some point, the benefit of being able to find packages for obscure uses is outweighed by the cost of having to sift through endless lists of redundant packages, the incompatibilities arising from many people using incompatible frameworks, and the inability to tell easily whether a given package works well. In JavaScript, that's compounded by the extremely loose type system and error checking.

Re:

[BarbaraHudson]

And of course there's got to be some significant code duplication in all that mess ...

Re:

[ebrandsberg]

The tyranny of choice. Even with Maven, trying to find the right package to use can be a pain. Want to find a generic serializer that works better than the built-in serializer? That will be half a day of searching, testing and validating (for anybody who cares, I chose fst). Fewer libraries of better quality make more sense. In Java, you have libs such as the Apache Commons and Google Guava libraries that cover a huge swath of functions, which I suspect in node.js is covered by tens of thousands of pac

Re:

[ooloorie]

Fewer libraries of better quality make more sense.

One way to achieve this is through stricter languages. Maybe limiting oneself to TypeScript modules is a good start?

node

[fluffernutter]

I'm really confused about node.js. Can anyone give me an example of something that they used it for that would have been a lot harder or wouldn't work as well as a traditional web framework? I guess what I'm trying to ask is, if someone is already comfortable with a framework is there reason to experiment with node.js?

Re:

[slazzy]

When developing for the front-end, you only have one option in the browser, JavaScript (besides languages which compile down to JavaScript). A lot of developers like using nodejs so they can use the same language on the backend as on the front. Personally I prefer Python on the backend, but I've started using nodejs as it makes things easier to only use one language.

Re:

[fluffernutter]

Are you talking technically easier or mentally easier? I do front end Javascript and back end Python, and I've found they can communicate quite well using get/post or json. But perhaps the communication is more efficient somehow with node.js, is there a method of passing data that presents it self without using those protocols? I develop Android/iOS as well so maybe I have just gotten used to thinking in different languages over the years and don't really notice it any more.

Re:

[Santana]

I guess it is simpler for managers to hire and replace programmers.

Re: node

[nitehawk214]

And there are lots more shitty JavaScript only "programmers" than real programmers that can program in the best language for the task.

Re:

[Santana]

I want to emphasize the existence of alternatives to JavaScript, as you mention, which means that JavaScript is not your only option.

There's a very long list of languages that you can use instead. You can even use Smalltalk:

https://github.com/jashkenas/c... [github.com]

I didn't know they ...

[CaptainDork]

... were even engaged.

Most of them trivialities

[Master5000]

made by amateur 17 years olds....

That's scary

[Snotnose]

Scary so many people are using what is arguably one of the worst languages ever created.

The better to HEAR you with, my dear!

[jtara]

Wow, the NSA has been busy writing code!

350k packages, so what?

[Dracos]

What would be telling (especially in light on left-pad) about npm, JS developers, and JS itself is how many of those packages are larger than a size that would be considered ridiculously small in another repository: 25 lines of code (which is being quite generous), measured the same way that left-pad becomes 11 lines.

Not just left pad

[sciengin]

I cannot understand my fellow slashdoters that make fun of leftpad, node is useful for so many more things.
For example just recently huge innovations were made within the node community and we are now proud to announce 1325 different variants of rightpad.
Can C++ do this?
Didn't think so!

No .de

[puddingebola]

The no .de movement must end. Germans have as much right to a domain on the internet as any other country has.

Re: Lies, damn lies, and statistics

[nitehawk214]

Ensures inconsistency across functions too.

Oh yeah, the quality

[campuscodi]

Can you really call 10-line code snippets... packages?

Now every trivial web app needs packages!

[shess]

The best thing about npm is that it can re-create the Ruby experience where the first step of running some trivial app is to install 230 packages! It's a real language!

And god help you if you actually decide to use the app for the long term, because in twelve months half its dependencies will no longer be maintained, and the other half will require updates after you do an OS upgrade, so you'll be in there debugging errors yourself. This will help train you for a 21st century job!

Re:

[NormalVisual]

Yeah, having an update script install 40,000 new files every time it's run takes a bit of getting used to.

Uh-huh...

[EmeraldBot]

"This just in! NPM's record on packages has been broken by an 'EmeraldBot' from Slashdot, who now hosts the largest number of packages in the world, at 550,050 and growing. Each one represents a single byte of the compiled program leftpad++, and is soon expected to double in number with the introduction of rightpad++."

On a more serious note, NPM's claim is dubious at best because they split programs up into so many packages, some only providing a single function. A WHOLE PACKAGE FOR A FUNCTION. That view

Re:

[MillionthMonkey]

I don't bother importing those 10-20 line packages. I just copy the code chunk off the Github page, paste it into my stuff, and tell my boss that I wrote it.

Duplicates

[Luthair]

There are many different uploads of jquery and every other popular library.

And that's a bad thing

[allo]

Ever installed some nodejs stuff?
You do "npm install" and watch an endless packagelist being downloaded. No, not to the central installation, but into the project. And they are like modules with 5 lines. See for example the "left-pad" thing. Yes, people include other programmers code for 5 lines of a function which you can create without even thinking about it. And they include such 5 line functions from hundereds of different people in their project. Not only one missing package can break millions of builds (see the left-pad example), but one malicious programmer can infect millions of production systems by issuing an update, which includes one malicious line, which loads some external script he will be able to change on demand. Because who re-reads the code of the modules, if he even read it the first place, when adding it because the name and short description seemed to match the requirements.
The node.js ecosystem is fucked up. Working, but still a working mess.

Re:

[Tchaik]

Use `yarn install`, it at least fixes the way things are installed locally by having a single copy of the packages in use and hard links in the projects.

Re:

[allo]

I know, there are like tens of alternative package managers, trying to fix the mess. I guess each of them has its own flaws, which are of course fixed by the shiny new one created yesterday. It's still not convincing and the problem with thousands of tiny packages remains.

And many "amateur" packages may not guarantee their function either. think of a left-pad, which pads with spaces. Now assume the original author may not wanted to pad it with the correct number of spaces, but pad it to reach a visible line

Re:

[shutdown -p now]

It's not just the modules themselves; npm is also horrible.

For starters, npm is non-deterministic. Yep, you've read it right: you can install the same packages on two different machines, but if you do it in different order, you can end up with different dependency trees [npmjs.com]. And yes, despite what the npm maintainers say, it can result in different versions of packages [github.com] being installed for the same set of version constraints.

Then there are major bugs [github.com] that have been open for over a year, and can be blocking (as in

Dead packages

[Midnight Thunder]

One challenge I have with npm are the dead projects and the apparent inability to take over the dead project, even if your project has become the accepted source of truth in GitHub. The workaround is to create a new package, but that just adds to the confusion.

It would be nice if there was a way for a project to either be flagged as possibly dead or require some other mechanism to red flag a project, either automated or via reporting.

Maybe I am alone in this feeling?

Largest implies lower average quality.

[God of Lemmings]

You have to search through a ton of crap to find whats good.