Settings

Theme

The NPM CLI has 65 production dependencies from the NPM registry

github.com

2 points by monarchwadia a month ago · 3 comments

Reader
monarchwadiaOP a month ago

In an environment with so many supply chain attacks, this is scary. You can't help but be exposed to supply chain attacks with this kind of philosophy.

benoau a month ago

Looks like 122 when it's all installed

  • monarchwadiaOP a month ago

    Seems it's 1078 total dependencies. Only 2 prod dependencies, but as we saw with recent attacks, dev tooling is an attack surface.

    I ran this script to count all packages in package-lock.json:

      node -e '
  const lock = require("./package-lock.json");
  const entries = Object.entries(lock.packages || {}).filter(([k]) => k); // skip root ""
  const c = { prod: 0, dev: 0, optional: 0, peer: 0, total: 0 };
  for (const [, p] of entries) {
    c.total++;
    if (p.peer) c.peer++;
    else if (p.optional) c.optional++;
    else if (p.dev) c.dev++;
    else c.prod++;
  }
  console.log(c);
  '
    Output:

      { prod: 2, dev: 955, optional: 113, peer: 8, total: 1078 }
    So, 1078 total dependencies.

Keyboard Shortcuts

j
Next item
k
Previous item
o / Enter
Open selected item
?
Show this help
Esc
Close modal / clear selection