Today I want to share some thoughts on the current state of NPM packages infrastructure. I’m pretty sure that NPM is very good thing:
- It’s easy to use. Seriously, I love the way it’s working. Recent changes, like adding
package.lock.jsonare making NPM better and better every day;
- It has a good community and it’s very popular. You can literally find everything that you need here;
However I’m a bit disappointed in the current state of dependency graphs for most of the popular packages.
I’ll take an regular Angular application as a sample. What we have as direct dependencies:
And that’s it. Looks pretty straight forward. And now let’s install all the dependencies by typing:
... one eternity later ...
added 1174 packages in 116.846s
Seriously? 1200 packages and 2 minutes to install.
package.lock.json contains 11000+ lines of code (don’t try to convince me that’s I should not worry about it, because sometimes I do, not every single day, but sometimes I need to look trough all the dependencies and understand where everything went bad on production). Let’s try to understand what’s happening inside:
- The first reason is that a lot of packages have redundant dependencies. It’s 2k18 right now, why do I need to support IE6. It’s not killer feature anymore, if someone still need to support IE6 it should be his own problem in my opinion, there are plenty of polyfills available in the NPM, but they should be installed on-demand, not to everyone. I’m writing Angular application and Angular itself does not support IE6 (indexof, isarray);
- The second and unfortunately most important reason – bicycles (or invention of wheels). There are literally thousands of packages doing absolutely the same stuff. There is no moderation in NPM as a result to publish your own bicycle to the NPM you need to be smart enough to get a unique name and that’s it. What I have in the Angular’s dependencies:
I’m pretty sure that this code was written with a good intend, however that’s how good intends are always over. If you want to publish new package to the NPM, please, don’t do it. Stop for a moment, try to find packages with similar functionality, consider contributing to most popular package, make it more popular by providing better functionality, API, documentation, by removing less popular packages from dependencies of other packages. This will help to reduce size of
package.lock.json. This will make world a little bit better!
Thank you! That’s all I have for today.