fp.

In an environment with so many supply chain attacks, this is scary. You can't help but be exposed to supply chain attacks with this kind of philosophy.

benoau•1h ago

Looks like 122 when it's all installed

monarchwadia•1h ago

Seems it's 1078 total dependencies. Only 2 prod dependencies, but as we saw with recent attacks, dev tooling is an attack surface.

I ran this script to count all packages in package-lock.json:

  node -e '
  const lock = require("./package-lock.json");
  const entries = Object.entries(lock.packages || {}).filter(([k]) => k); // skip root ""
  const c = { prod: 0, dev: 0, optional: 0, peer: 0, total: 0 };
  for (const [, p] of entries) {
    c.total++;
    if (p.peer) c.peer++;
    else if (p.optional) c.optional++;
    else if (p.dev) c.dev++;
    else c.prod++;
  }
  console.log(c);
  '

Output:

  { prod: 2, dev: 955, optional: 113, peer: 8, total: 1078 }

So, 1078 total dependencies.