The NPM CLI has 65 production dependencies from the NPM registry

▲ The NPM CLI has 65 production dependencies from the NPM registry(github.com)

2 points by monarchwadia 13 hours ago | 3 comments

▲ monarchwadia 13 hours ago | parent | next [-]

In an environment with so many supply chain attacks, this is scary. You can't help but be exposed to supply chain attacks with this kind of philosophy.

▲ benoau 12 hours ago | parent | prev [-]

Looks like 122 when it's all installed

▲ monarchwadia 12 hours ago | parent [-]

Seems it's 1078 total dependencies. Only 2 prod dependencies, but as we saw with recent attacks, dev tooling is an attack surface.

I ran this script to count all packages in package-lock.json:

  node -e '
  const lock = require("./package-lock.json");
  const entries = Object.entries(lock.packages || {}).filter(([k]) => k); // skip root ""
  const c = { prod: 0, dev: 0, optional: 0, peer: 0, total: 0 };
  for (const [, p] of entries) {
    c.total++;
    if (p.peer) c.peer++;
    else if (p.optional) c.optional++;
    else if (p.dev) c.dev++;
    else c.prod++;
  }
  console.log(c);
  '

Output:

  { prod: 2, dev: 955, optional: 113, peer: 8, total: 1078 }

So, 1078 total dependencies.