There is no doubt, you have probably used npm in your project at least once. npm helps us with finding, installing and updating various project dependencies and packages. There are few things to keep in mind while searching for an npm package and before installing the npm package:
- Does the package have any vulnerabilities?
- Is the package being maintained?
- Does the package have bugs that will affect my use-case?
- Is the package size acceptable?
- How does it compare to similar packages?
As we’ve seen before, npm packages can become a target for various attacks and malicious code injections. Although
npm audit and
npm audit --fix does a good enough job of tracking and fixing vulnerabilities, you can use snyk.io to search for the package in their vulnerabilities database before even installing the package.
Simplest way of checking if the package is being actively maintained by the author or the community is to simply go through the version history and see how often the package is being updated. It’s also good to check the issues section on the github and see if author is actively working on fixing bugs reported by the users.
Similarly to the previous item, you can check the issues section on github and see if there are any active issues or bug reports that apply for your use case. Few examples of these issues are: conflict with another package, edge-case issue, specific performance issue, etc.
Sometimes, a package can have dependencies that increase the package size dramatically and which, in turn, will affect our website/app size and performance. In order to avoid this, you will want to check the bundle size on
Bundlephobia and see if this fits your size and performance requirements.
Often times, you might find multiple packages that fit your requirements. In those cases, you would want to compare them side-by-side and determine which package truly fits your needs, is regularly maintained and is widely used.
One of those tools is npm compare. It shows a highly-detailed side-by-side comparison of two packages and it highlights which package is the best in each metric (issues reported, average time for updating, size, etc.).
Another useful tool is npm trends npm trends which shows package popularity over time and simple, less-detailed comparison.
Feel free to post in the comments if you take into account some other criteria when searching and selecting an npm package.
Thank you for taking the time to read this post. If you've found this useful, please give it a ❤️ or 🦄, share and comment.