Slashdot Mirror

← Back to Stories (view on slashdot.org)

Node.js's npm Is Now The Largest Package Registry in the World (linux.com)

Posted by EditorDavid on from the delivering-packages dept.

Linux.com highlights some interesting statistics about npm, the package manager for Node.js.
  • "At over 350,000 packages, the npm registry contains more than double the next most populated package registry (which is the Apache Maven repository). In fact, it is currently the largest package registry in the world."
  • In the preceding four weeks, users installed 18 billion packages.
  • This translates into 6 billion downloads, "because approximately 66 percent of the installs are now being served from the cache."
  • ping.npmjs.com "shows that the registry's services offer a 99.999 uptime."
  • Every week roughly 160 people publish their first package in the registry

But what about the incident last year where a developer suddenly pulled all their modules and broke thousands of dependent projects? npm's Ashley Williams "admitted that the left-pad debacle happened because of naive policies at npm. Since, the npm team have devised new policies, the main one being that you are only allowed to unpublish a package within 24 hours of publishing it." And their new dissociate and deprecate policy allows developers to mark packages as "unmaintained" without erasing them from the registry.


4 of 133 comments (clear)

  1. How many *useful* packages? by Anonymous Coward · · Score: 5, Insightful

    When you get such trivialities as left pad in the registry, why should anyone care that the raw number of packages is large?

    Quick everybody: how do you write "hello world" in javascript?

    npm install hello-world

    1. Re:How many *useful* packages? by Anonymous Coward · · Score: 3, Insightful

      That hello-world package will bring at least a dozen packages, such as Encyclopedia Britannica which is used to get the two words and some QT and XML libraries which are needed to dump the output string into stdout.

  2. left-pad by Anonymous Coward · · Score: 3, Insightful

    I think the debacle really just opened up a lot of eyes as to when it's appropriate to start npm installing a bunch of crap instead of writing your own code.

    There's a fetish for modules in the JavaScript world that defies reason.

    "What? Use the built-in keyword "function" for defining functions? Heavens no you fool, we install Sindre Sore-Ass's woopee-unicorn-function-creator package!

    It's cancer all the way down on NPM.

  3. And that's a bad thing by allo · · Score: 3, Insightful

    Ever installed some nodejs stuff?
    You do "npm install" and watch an endless packagelist being downloaded. No, not to the central installation, but into the project. And they are like modules with 5 lines. See for example the "left-pad" thing. Yes, people include other programmers code for 5 lines of a function which you can create without even thinking about it. And they include such 5 line functions from hundereds of different people in their project. Not only one missing package can break millions of builds (see the left-pad example), but one malicious programmer can infect millions of production systems by issuing an update, which includes one malicious line, which loads some external script he will be able to change on demand. Because who re-reads the code of the modules, if he even read it the first place, when adding it because the name and short description seemed to match the requirements.
    The node.js ecosystem is fucked up. Working, but still a working mess.