Node.js's npm Is Now The Largest Package Registry in the World

Linux.com highlights some interesting statistics about npm, the package manager for Node.js.

• "At over 350,000 packages, the npm registry contains more than double the next most populated package registry (which is the Apache Maven repository). In fact, it is currently the largest package registry in the world."
• In the preceding four weeks, users installed 18 billion packages.
• This translates into 6 billion downloads, "because approximately 66 percent of the installs are now being served from the cache."
• ping.npmjs.com "shows that the registry's services offer a 99.999 uptime."
• Every week roughly 160 people publish their first package in the registry

But what about the incident last year where a developer suddenly pulled all their modules and broke thousands of dependent projects? npm's Ashley Williams "admitted that the left-pad debacle happened because of naive policies at npm. Since, the npm team have devised new policies, the main one being that you are only allowed to unpublish a package within 24 hours of publishing it." And their new dissociate and deprecate policy allows developers to mark packages as "unmaintained" without erasing them from the registry.

Packages still aren't signed

Packages on npm still aren't signed - something that Java repository servers have had since inception.

Might as well just open up your firewalls and let the hackers inject whatever code they want.

Broken by design!

Captcha: "amateurs"

Re:Packages still aren't signed

[Desler]

And if you want a real-world example as a scenario it would be here: https://forums.unrealircd.org/...

Re: Packages still aren't signed

They're both things that JavaScript programmers don't/can't comprehend.

Re: Packages still aren't signed

[MachineShedFred]

So you can securely download a pre-compromised package. Wonderful.

He's talking about cryptographic integrity checking of the package, not some kind of packet injection during the download. For example, the use of GPG signatures for apt repositories.

How many *useful* packages?

When you get such trivialities as left pad in the registry, why should anyone care that the raw number of packages is large?

Quick everybody: how do you write "hello world" in javascript?

npm install hello-world

Re:How many *useful* packages?

That hello-world package will bring at least a dozen packages, such as Encyclopedia Britannica which is used to get the two words and some QT and XML libraries which are needed to dump the output string into stdout.

left-pad

I think the debacle really just opened up a lot of eyes as to when it's appropriate to start npm installing a bunch of crap instead of writing your own code.

There's a fetish for modules in the JavaScript world that defies reason.

"What? Use the built-in keyword "function" for defining functions? Heavens no you fool, we install Sindre Sore-Ass's woopee-unicorn-function-creator package!

It's cancer all the way down on NPM.

npm's Ashley Williams ..

[thygate]

Ash ? Guess jacksonville got boring after a while eh ..

No other option when using JavaScript.

A huge problem with JavaScript, compared to other languages, is that its standard library is totally lacking, even after 20 years of existence.

A lot of common library functionality that Java, C#, Perl, Ruby, Python, Tcl, Go and even C++ include by default just aren't present when using JavaScript. Or worse, if JavaScript does include some functionality it's often really shitty, sometimes to the point of being unusable.

So if you're using JavaScript you pretty much have no choice but to start using external packages almost right away. That's why npm has become so widely used: it's because JavaScript itself is so goddamn lacking in the most basic of ways.

Npm is basically a bandage that you have to apply to JavaScript to make it even barely usable. And you have to apply it for pretty much each and every project written in JavaScript.

Re:No other option when using JavaScript.

[Curunir_wolf]

You mean like Angular 2?

there is such a thing...

[ooloorie]

At over 350,000 packages, the npm registry contains more than double the next most populated package registry

There is such a thing as "too big" for package repositories: at some point, the benefit of being able to find packages for obscure uses is outweighed by the cost of having to sift through endless lists of redundant packages, the incompatibilities arising from many people using incompatible frameworks, and the inability to tell easily whether a given package works well. In JavaScript, that's compounded by the extremely loose type system and error checking.

No it's not

[lucm]

The amount of code needed to write a web application using Node.js is tiny compared to even PHP, which itself requires a lot less code than java or others. Performance is excellent, especially if you combine it with a web server for static content (like you would do with most web technologies).

Even without using frameworks (like Express), Nodejs is a technology that is well-suited for web applications. There is a learning curve because of the asynchronous paradigm (which can be mitigated if one uses promises) but overall the language is decent and favors good practices, such as MVC or code reuse. In the age of the API this is a fantastic platform to quickly put together a REST architecture.

Also, don't bash Nodejs for server-side code. Because of the self-contained nature of npm it can prove quite convenient for all kinds of applications and utilities, not just web applications. Whenever I need a quick script that involves database access or interacting with web services, I no longer use bash and tools like curl or wget, I get what I need a lot faster with Nodejs. There are so many excellent packages on npm it's just a no-brainer.

Most of them trivialities

[Master5000]

made by amateur 17 years olds....

That's scary

[Snotnose]

Scary so many people are using what is arguably one of the worst languages ever created.

Re:Ignorance, mainly.

[lucm]

I've worked with a lot of programmers (or pseudo-programmers) over the years, and the ones who like JavaScript tend to be the most ignorant of them all.

I have worked (not just for hobbies) with C, C++, Pascal, Java, C#, the whole Visual Basic family, Perl, Python, PHP and JavaScript. I even worked with RPG and COBOL. Plus a whole bunch of shell scripting languages, from csh to PowerShell and even (OMG) JCL. On all the possible platforms you can think of, from smartphones all the way to Z series.

And guess what? I like JavaScript. I like how it started as a clunky way to make dynamic HTML menus to how it's now powering insanely high-volume websites. Is it the prettiest language? No. Does it handle dates properly? Jesus fucking christ no. Is it a marvel of software engineering? Is it a pure delight for the intellect like lisp, or an unbreakable workhorse like Ada? No. But IT WORKS. It does the job, quickly. In browsers, and even on mainframes (yes, Nodejs is supported on IBM mini and mainframes).

And it can be a gateway drug. Especially on the Nodejs platform JavaScript forces you to think of functions as more than a subroutine and this can be a terrific way to open your mind to the world of lambdas and closures - something that people who don't have a strong computer science or math background often struggle with.

True story. I had a coworker who just couldn't wrap his mind around callbacks and asynchronous execution. Which was a serious problem because at the time big data was becoming a thing and this meant map-reduce and all that. You know what finally made things "click" for him? jquery and ajax calls. Seriously. When he started to realize that he could pass a function as a parameter that would be executed after the ajax call came back, it blew its mind. Very quickly he jumped on the Nodejs bandwagon and he finally was able to work on data projects involving R and math-intensive Python code.

So there you go. Piss on JavaScript all you like, but don't try to use the "real programmers don't like JavaScript" because I'm a real programmer and I LOVE it. Maybe not my absolute favorite but definitely in my top 3.

Not just left pad

[sciengin]

I cannot understand my fellow slashdoters that make fun of leftpad, node is useful for so many more things.
For example just recently huge innovations were made within the node community and we are now proud to announce 1325 different variants of rightpad.
Can C++ do this?
Didn't think so!

Re:node

[slazzy]

When developing for the front-end, you only have one option in the browser, JavaScript (besides languages which compile down to JavaScript). A lot of developers like using nodejs so they can use the same language on the backend as on the front. Personally I prefer Python on the backend, but I've started using nodejs as it makes things easier to only use one language.

And that's a bad thing

[allo]

Ever installed some nodejs stuff?
You do "npm install" and watch an endless packagelist being downloaded. No, not to the central installation, but into the project. And they are like modules with 5 lines. See for example the "left-pad" thing. Yes, people include other programmers code for 5 lines of a function which you can create without even thinking about it. And they include such 5 line functions from hundereds of different people in their project. Not only one missing package can break millions of builds (see the left-pad example), but one malicious programmer can infect millions of production systems by issuing an update, which includes one malicious line, which loads some external script he will be able to change on demand. Because who re-reads the code of the modules, if he even read it the first place, when adding it because the name and short description seemed to match the requirements.
The node.js ecosystem is fucked up. Working, but still a working mess.