Skip to content

A scary (React) story for Halloween

It’s almost Halloween, which means it’s the perfect time to pass on a scary story I heard from a friend. If you’ve got a bash shell you can even act it out with me.

First, we are going to install create-react-app and see how many dependencies it installs from npm. Since npm puts each dependency in its own folder inside node_modules/, we can just count the number of folders it creates to determine the number of dependencies we’ve installed:

$ mkdir -p /tmp/react && cd /tmp/react
$ npm install create-react-app
$ ls node_modules | wc -l

As you can see, create-react-app installs 103 dependencies. What about the actual React app it generates for us?

$ $(npm bin)/create-react-app foo
$ ls foo/node_modules | wc -l


A brand new React app has 892 dependencies! For comparison, here’s how many packages are included with the DVD for Ubuntu 16.04, a complete desktop operating system:

curl -s | wc -l

It turns out that to do the equivalent of “Hello, world!” in React (using the official, Facebook-approved toolchain), you need about 46% as many individual dependencies as you get with the Ubuntu live DVD.

React is wildly popular. Businesses big and small are using it to power their products. Think about a typical small-ish software development team that uses React (or your own team, if that describes you) and ask yourself:

  • If you asked the team how many dependencies they thought their app had, would it be anywhere near 892? Would they be off by less than a factor of 10?
  • How many of those 892 dependencies did the team audit for security, code quality, acceptable test coverage, and so on?
  • How many of those 892 dependencies has the team ever looked at, even just once?
  • How many of those 892 dependencies has the team even heard of?

Now think about how much of your personal data is tied up in web services whose webs of dependencies are even more tangled than the React boilerplate.

Happy Halloween!