The NPM CLI has 65 production dependencies from the NPM registry(github.com)
2 pointsby monarchwadia7 hours ago2 comments
  • monarchwadia7 hours ago
    In an environment with so many supply chain attacks, this is scary. You can't help but be exposed to supply chain attacks with this kind of philosophy.
  • benoau7 hours ago
    Looks like 122 when it's all installed
    • monarchwadia7 hours ago
      Seems it's 1078 total dependencies. Only 2 prod dependencies, but as we saw with recent attacks, dev tooling is an attack surface.

      I ran this script to count all packages in package-lock.json:

        node -e '
  const lock = require("./package-lock.json");
  const entries = Object.entries(lock.packages || {}).filter(([k]) => k); // skip root ""
  const c = { prod: 0, dev: 0, optional: 0, peer: 0, total: 0 };
  for (const [, p] of entries) {
    c.total++;
    if (p.peer) c.peer++;
    else if (p.optional) c.optional++;
    else if (p.dev) c.dev++;
    else c.prod++;
  }
  console.log(c);
  '
      Output:

        { prod: 2, dev: 955, optional: 113, peer: 8, total: 1078 }
      So, 1078 total dependencies.