State of the Union: npm
Found on Linux.com on Saturday, 14 January 2017
For example, in the 28 days prior to the talk, users had installed 18 billion ("billion" with a "b") packages from the registry, although this translated to "only" about 6 billion downloads. The downloads are substantially lower than the installs because approximately 66 percent of the installs are now being served from the cache.
At over 350,000 packages, the npm registry contains more than double the next most populated package registry (which is the Apache Maven repository). In fact, it is currently the largest package registry in the world.
That giant mess is nothing to be proud of. The massive size of the repository would only hint at the low quality guidelines; and that's quite true, seeing that there are lots of "hello world" packages which have absolutely no place in a serious repository. Not to forget the left-pad incident which just underlines the problems of relying on packages for even just the most simple code. Instead of writing your own code, trying to be as independant as possible, these "developers" produce applications which can too easily break. Another thing you should not forget is that packages are not signed, so when caches will get more common, malicious cache operators can modify everything. Furthermore, because world and dog can publish packages, there is no code audit. What if the account containing left-pad would have been hacked and someone just pushes a malware update?