re: The node_modules problem VIEW POST

FULL DISCUSSION
 

Great rant, I wholeheartedly agree with everything you said.

I think that the major problem is the carelessness with which library developers pull in dependencies.

I have a pet project with one production dependency and three development dependencies and npm has pulled in a total of, no kidding, 2352 packages.

One of those packages is called path-is-inside and is a simple script with fifteen lines of code that checks whether a path is inside another path.

Now, I'm not saying that everybody should be reinventing the wheel all the time everywhere, but if developers are pulling in packages instead of writing fifteen-line utility functions (it's not even hard to figure out if a path is inside another path), no wonder that there are so many jokes about node_modules out there.

Personally, I'm always wary of pulling in dependencies and I always try to avoid packages that seem to have an unreasonable amount of dependencies for the job they do, although I'm more liberal with development dependencies (after all, there's only so much you can avoid when you're stuck with nodemon and webpack).

 

it's not even hard to figure out if a path is inside another path

It's not that it's hard, it's that, between normalization and platform (Windows) specific issues, it's easy to get wrong. Reimplementing it is not worth the 7kb you may save.

 

I would normally concede that it's a grey zone, but path-is-inside doesn't even do path normalisation (which, for the record, you can easily do with node's path module). I'd say that 15 lines of code to save 7kb and a broken implementation is worth every bit of it.

Anyway, this was a particular example, you could argue about every single small package that there is a reason you may want to add it as a dependency instead of implementing it yourself and you would be right. However, if we don't draw the line anywhere, well... we end up with 1875 subfolders in our node_modules folder. I just wish library developers were more careful when adding dependencies and only add them when they are truly required and have decent quality.

I'd say that 15 lines of code to save 7kb and a broken implementation is worth every bit of it.

In all likelihood, you're not saving 7kb; another library you're using probably has the same requirement and probably uses that same package. And if you get all libraries to do as you do, you now have n identical implementations of a 1kb function as opposed to a constant 7kb.

if we don't draw the line anywhere, well... we end up with 1875 subfolders in our node_modules folder.

node_modules aren't huge because somebody pulls into a small library. They're huge because people'll publish unneeded files, or don't split up their library into more focused libraries, or don't make an effort to deduplicate their dependency trees, or keep support for old node versions, or pin to specific versions so other dependencies can't deduplicate.

I just wish library developers were more careful when adding dependencies

It doesn't have to be a wish; if it is important to you, it is totally within your power to attempt to rectify that which you find a mistake (at least as far as open source goes). Many repositories will be responsive or even appreciative if you make an issue.

code of conduct - report abuse