DEV Community πŸ‘©β€πŸ’»πŸ‘¨β€πŸ’»

majo44 for ArdentCode

Posted on

Stop adding npm dependencies (thoughtlessly) !

Have you ever checked what happens when you run npm install xyz --save ? Or looked at the real weight of used packages? Or maybe examined the dependencies of your dependencies?

Let's assume that we have a few packages which deliver the same or similar value. There are many factors which we can consider when we have to make a choice
between them. Personally, for long time I used some kind of popularity contest, what my team is using, downloads count on npmjs.com, stars on Github...
I also used different factors like the quality of documentation, the state of the project, is it still maintained or not, etc., ect. But I've never thought about the weight of the dependencies.

If you look at this answer on stackoverflow.com or this one on quora.com or check how the npms.io is measure the quality of the package, you can notice that weight is not mentioned there.

You probably saw that image:
Node modules heaviest objects in the universe
Source: devrant.com/rants/760537...

But you probably did not saw that one:
Storybook Galaxy
Storybook galaxy

No, this is not Andromeda Galaxy. This is a dependencies galaxy of Storybook. Storybook depends on more than 700 packages, which are connected by almost 1300 connections, and based on more than 10 different licenses. It is "just" 117 MB of code, but the amount of packages scares me. What's more, there are addons for the Storybook. In order to use it with React (@storybook/react) you have to install at least 1450 packages!

Alt Text

Recently, I have been looking for a simple cli tool for deleting files by the glob pattern. There a few options, so I compared the weight of the first few:

name dependencies tree nodes size npms.io score
rimraf 12 170 kB 82
trash-cli 179 2.3 MB 71
del-cli 94 2.1 MB 72

Hello, I just want to delete some files, I do not need the Spaceball One, for this task.

Spaceball One
Spaceball One transformed into Mega Maid, in the mission "Vacu-Suck"

I know there are tools that try to solve the problem like yarn, but it would be better to do not create that problem at all. Let's consider that we have to pay for the time and disk space for every environment where our package is used, CI, my next desk colleague, a developer from another place in the world. Do not use the Spaceball One if you do not need it, do not create the Spaceball One if it is not your goal. Remember, every time you add a dependency, anyone who uses your code adds it as well.

There are some useful tools which we can use to evaluate weight of packages. For some time I have been using:

  • npm.anvaka.com - Visualization of npm dependencies
  • NPMGraph - Visualize NPM Module Dependencies
  • bundlephobia - Cost of adding a npm package to your bundle
  • npms.io - A better and open source search for node packages

Do you know any other tools? Do you have any advice on how to prevent the project from becoming a GIANT?

P.S. I know that rimraf, trash-cli and del-cli are "different" :)

Top comments (9)

Collapse
 
joekaiser profile image
Joe

I always suggest that people run npm dedupe docs.npmjs.com/cli/dedupe I have found it does a good job at cleaning up the dependency tree

Collapse
 
majo44 profile image
majo44

Good advice. Thx.

Collapse
 
osdevisnot profile image
osdevisnot

I'm glad someone else shares similar views with me on this topic. To circumvent some of it for my package building needs, I recently authored klap. dev.to/osdevisnot/show-dev-introdu...

It probably won't score high on the scoring sites you use above considering it's a new effort, but you might find it useful.

Collapse
 
richardevcom profile image
richardev

I overanalyzed and misunderstood the context of title - misread dependencies as packages πŸ˜… and instatly though "I should not have written this article about ADDING your module as NPM package" (not a shameless plug, honestly).

But yeah.. transitioning to yarn seems like the best solution atm. I'm slowly saying my goodbyes to npm.

Collapse
 
mateiadrielrafael profile image
Matei Adriel

I personally use pnpm as my package manager to prevent duplicates!

Collapse
 
pazzavlad profile image
Vlad Harbarchuk

Don't see any problem with that. Like come on, space in hard drive is cheap. And it's much more convenient than for example python pip where you mess with global deps.

Collapse
 
majo44 profile image
majo44

Space is cheep, but this doesn't mean that you should not care about it. And the key point is that the space is not the biggest problem, I did not mentioned this in article, but the amount and quality of your dependencies has also huge impact on software complexity, maintainability, error prone and security, what is not cheep at all.

Collapse
 
krzysztofcislo profile image
Krzysztof CisΕ‚o

Hard drive is cheap but network bandwidth... not necessarily. The problem is not so critical if you work only on the server side but if you create client bundle which will be sent to the browser then you can easily loose control how many megabytes will be transferred.

Collapse
 
johndavidlarsen profile image
JohnDavidLarsen

trash-cli loads a entire developers code base, everything the dev ever wrote. For some reason.

Advice For Junior Developers

>> Check out this classic DEV post <<