DEV Community

loading...
Cover image for How do you approach adding new npm dependencies to a project?

How do you approach adding new npm dependencies to a project?

sumstrm profile image Andreas Sommarström ・1 min read

Do you review a dependency before adding it? Base it on what criteria? Discuss it with others, open a pull request or is it a total free-for-all where everything is allowed?

My question comes from a previous post and the need to adopt (or at least discuss) a strategy for how new dependencies are added securely and efficiently.

I found this AskJS reddit thread on the same subject, but not many responses unfortunately.

I am keen to hear of other experiences on this topic.

Context: Secure management of dependencies is one of the issues our package management tool bytesafe addresses. As such I would like to get a better understanding of the workflow and concerns of the community on this issue.

Discussion (4)

pic
Editor guide
Collapse
yoursunny profile image
Junxiao Shi

I add dependency all the time. I only check whether they have TypeScript definition, as it's a hassle writing definition and getting it accepted into DefinitelyTyped.

Collapse
sumstrm profile image
Andreas Sommarström Author

Thanks for sharing! Do you put any value in stats like weekly downloads or when the package was last updated? Or do you feel like you already know enough of the dependency already to trust it?

Collapse
yoursunny profile image
Junxiao Shi

I have many "10 weekly downloads" dependencies, but I do consider update date and GitHub issues list. If the package is not being maintained and issues are piling up, I'm less likely to use it.
Or I would send pull requests for issues that affect me, and start publishing a fork if owner doesn't merge or otherwise fix the issues in 3 months. Example: npmjs.com/package/@yoursunny/mole-rpc - and NPM gets one more "10 weekly downloads" package, because I'm no longer using it myself.

Thread Thread
sumstrm profile image
Andreas Sommarström Author

Thanks again for elaborating. Considering the update date and GitHub issues list are great examples of making an informed and intentional decision on dependencies.