It’s almost Halloween, which means it’s the perfect time to pass on a scary story I heard from a friend. If you’ve got a bash shell you can even act it out with me.
First, we are going to install
create-react-app and see how many
dependencies it installs from npm. Since npm puts each dependency in its own
node_modules/, we can just count the number of folders it
creates to determine the number of dependencies we’ve installed:
$ mkdir -p /tmp/react && cd /tmp/react $ npm install create-react-app $ ls node_modules | wc -l 103
As you can see,
create-react-app installs 103 dependencies. What about the
actual React app it generates for us?
$ $(npm bin)/create-react-app foo $ ls foo/node_modules | wc -l 892
A brand new React app has 892 dependencies! For comparison, here’s how many packages are included with the DVD for Ubuntu 16.04, a complete desktop operating system:
curl -s http://releases.ubuntu.com/16.04/ubuntu-16.04.3-desktop-amd64.manifest | wc -l 1929
It turns out that to do the equivalent of “Hello, world!” in React (using the official, Facebook-approved toolchain), you need about 46% as many individual dependencies as you get with the Ubuntu live DVD.
React is wildly popular. Businesses big and small are using it to power their products. Think about a typical small-ish software development team that uses React (or your own team, if that describes you) and ask yourself:
- If you asked the team how many dependencies they thought their app had, would it be anywhere near 892? Would they be off by less than a factor of 10?
- How many of those 892 dependencies did the team audit for security, code quality, acceptable test coverage, and so on?
- How many of those 892 dependencies has the team ever looked at, even just once?
- How many of those 892 dependencies has the team even heard of?
Now think about how much of your personal data is tied up in web services whose webs of dependencies are even more tangled than the React boilerplate.