JavaScript Dependency Bloat

Comments criticize the excessively large number of dependencies in JavaScript and Node.js projects, particularly via npm, highlighting risks like supply chain vulnerabilities, the left-pad incident, and a culture of over-reliance on tiny packages.

➡️ Stable 0.7x Programming Languages

3,952

Comments

Years Active

Top Authors

#8084

Topic ID

Activity Over Time

2008

2010

2011

2012

2013

2014

2015

106

2016

432

2017

187

2018

301

2019

362

2020

462

2021

432

2022

456

2023

278

2024

282

2025

472

2026

Top Contributors

ratww (21) lmm (18) lucideer (14) whstl (14) Klathmon (14)

Keywords

NPM PITA QT requirements.txt Node.js npmgraph.js JS OOM youtu.be bundlejs.com dependencies npm dependency packages js libraries package library small node

Sample Comments

davexunit • Feb 11, 2016 • View on HN

NodeJS developers ought to be embarrassed at how absurdly huge their dependency trees are.

hannob • Sep 7, 2022 • View on HN

The answer is "too many dependencies".Package manages made it easy to have dependencies. Every added dependency adds risk. That doesn't mean you should never add dependencies - there are good reasons to do so - but you should weight their pros and cons. Adding dozends, hundreds or thousands of dependencies (as it is common in the npm ecosystem) adds lots of risk. None of that is particularly surprising.

Proudmuslim • Mar 18, 2022 • View on HN

Your average JS project has way too many dependencies

seangrogg • Oct 11, 2016 • View on HN

This is a valid question coming from an outsider looking in.There are various packages that are extremely small (see leftpad and associated controversy). They often wind up in a slightly larger package, which itself winds up in a slightly larger package, which recurs until you finally wind up with one actual package of consequence that you're targeting. For example, Express (a very common Node.js abstraction) has 26 direct dependencies, yet 41 total dependencies.A lot of this results

gorjusborg • Apr 9, 2022 • View on HN

Yes.I checked out a small project recently and it had over 2000 nom packages as dependencies. The culture around node development was/is just too dependency happy.I get standing on the shoulders of giants and that not all people are bad, but with thousands of dependencies, the chances of a supply chain issue starts to become significant.

havkom • Apr 11, 2022 • View on HN

I would suggest that one tries to limit dependancies. The entire node ecosystem contraviene this so maybe people should not use it.

ufmace • Oct 2, 2021 • View on HN

Probably the worst thing is that the standard library with Node Javascript is tiny. Therefore, you have to pull in a pile of NPM packages to do pretty much anything. The package ecosystem is rather messy for the same reason - there's a mountain of tiny packages doing a few little things because somebody needed to do just a few things and didn't want to pull in some massive library that does a ton of stuff including the thing they need to do. Which then leads to a lot of bigger and more

PhineasRex • Aug 1, 2020 • View on HN

Projects of similar size in JS have hundreds of dependencies, so 52 really isn't a lot

tyingq • Mar 3, 2019 • View on HN

I just like that someone at npm would avoid something because it has lots of dependencies and overhead. The irony is strong with this one.

rafaelvasco • Nov 19, 2018 • View on HN

Not exactly Yarn or NPM. The problem is that JS is suffering from extreme dependency hell, due to overly fragmentation of modules. It's appalling. It is not a good thing starting a project, doing a install and having hundreds and hundreds of modules on node_modules, some with less then 50 lines of code. Of course things must be modular, but unwraping everything in a folder like this is far from good.