Comment by bdangubic
2 days ago
also scrutinize every dependency you introduce. I have seen sooooo many dependencies over the years where a library was brought in for one or two things which you can write yourself in 5 minutes (e.g. commons-lang to use null-safe string compare or contains only)
Sure but you basically need a different ecosystem to bring in a popular package and not expect to end up with these trivial libraries indirectly through some of the dependencies.
Said scrutinizing from my side consists of checking the number of downloads and age of the package, maybe at best a quick look at the GitHub.
Yes, I'm sure many dependencies aren't very necessary. However, in many projects I worked on (corporate) which were on the older Webpack/Babel/Jest stack, you can expect node_modules at over 1 GB. There this ship has sailed long ago.
But on the upside, most of those packages should be fairly popular. With pnpm's dependency cooldown and whitelisting of postinstall scripts, you are probably good.
>consists of checking the number of downloads and age of the package
Age can't be gamed, but number of downloads sure can.
I looked at number of downloads just like I am looking at number of amazon reviews :) tells you just about the same thing - nothing at all