bower and many other npm packages, has some dependencies that eventually depends on a package called "wordwrap".

And this "wordwrap" package somehow has its test folder exposed in npm.

The result:

Every single person using bower would have one or more copies of In Praise of Idleness by Bertrand Russell on your local machine, depending on how many of your projects has a npm dependency of this package:

https://github.com/substack/node-wordwrap/blob/master/test/i...

Don't believe me? Try searching for "In Praise of Idleness" in Spotlight.

Edit: Someone had already sent a PR about this on GitHub: https://github.com/substack/node-wordwrap/pull/14

Anyone knows how to prevent all node_modules folders from getting indexed by Spotlight?

Old-school grepping or using Notepad++'s find in files feature is far away the best method I've come across, which is... kinda sad.

The client on the other hand? It's baaad.

[1] http://www.voidtools.com/

"because my deployment (google app engine) allows only 10K files"

meaning, they don't realize that node_modules is for development and not related to the application they would actually deploy.

IIRC Angular 2 production builds are actually pretty efficient.

[1] - http://monkberry.js.org/

Though to be fair a "modern" JS dev environment does use a ton of unnecessary stuff!

I fixed your comment.

Buble says "Files (940 KB)" but it doesn't do everything Babel does (just a strict subset).

Is anyone's quality of life really impacted by the size of babel vs buble?

Does the size of a compiler really change anything for the average developer (obviously within reason)?

The "recommended" way is to install babel for each project independently. Space is cheap, internet speeds are fast for many, and avoiding version issues outweighs the savings.

But you can install globally, so you'd install babel once and can use it in all projects that way.

Then throw in the possibility of different package managers and you get a crazy amount of freedom and choice. People get overwhelmed with "javascript fatigue" and I just don't get it. You don't need to do everything, but having the option to is amazing.

Although there definitely is a performance cost to Babel's large dep tree as each of these modules have to be found by Node (which is inefficient). If you use Babel with npm2 it is super slow, because npm2's folder structure causes more lookups.

[1] https://github.com/avajs/ava

this.

Granted, it's the same with everything- if you expanded every compressed file and counted every class, most languages and frameworks would just be incredibly nuts, because all of them aren't needed.

But, something could be done about that; you could better differentiate what is there for convenience, and what needs to be there and make the developer more aware of what they are using. It can make development more difficult if done poorly, but good examples of minimalist development are out there, e.g. Sinatra and similar frameworks that said X is too much- just use this.

I believe that creating a module without relying on other modules will likely lead to reinventing the wheel. Well, lots of wheels.

However, that might still be fine. But what about that one corner case you missed? It might already be solved in a third-party module that focuses on one thing only.

It's really not that bad to try and use specialized modules as much as you can. You can benefit from other people's cleverness and focus on more relevant work.

Yes, there will probably be a lot of on-disk overhead. But is that really relevant today?

If there is a well written, well tested, and widely used micro-library out there that does one thing and does it very well, why not use it?

Even if you think you can re-implement it in 5 minutes, will yours be as fast? Will yours be as well tested? Will yours have an interface that many other developers already know and use?

Sometimes reinventing the wheel is needed, but most of the time using a well working wheel that someone else made is the best choice.

Because every dependency comes with a cost. First of all, it needs to be available and the author might decide to pull it - maybe not from npm, but from github. Second is a matter of trust: Someone just needs to take over the left-pad authors npm account an all of a sudden he can inject arbitrary code into all projects using the dependency. I'd bet that 90% of folks don't even bother to check the left-pad code. So basically you need to trust each and every author of dependencies that they're benevolent and competent, that is: They don't drop the ball, get hacked, loose access, ... And that task gets harder and harder the more dependencies you have to vet. In a lot of instances just inlining the code would be better. A larger stdlib that can be selectively included would be better. It's a tough problem and npm just sits on an extreme end of the scale.

Bundling to me is such a sledgehammer solution. Yeah, it can somewhat prevent many of those issues, but it also comes at a pretty large cost.

* it leads to code duplication

* it can ruin the performance of tree-shaking and minification systems

* it prevents you from swapping out a small module with another globally

* it makes it harder to inspect and debug the code that you have installed in the node_modules directory

* it makes it harder to verify that the code on your machine is the same as the source code

* the bundler can introduce bugs into the source code

* The package now needs to maintain a build step and needs to maintain a separate source and "binary"

And more. Plus, in the end you might not even be helping anything. A big repo like lodash can have just as many contributors as tons of little dependencies, and big repos aren't immune to the org running it going belly up.

I guess I see those problems as more of a "large amount of code" problem instead of a "large amount of dependencies" problem.

Neither did I deny that inlining everything comes at a cost as well, so the goal is to find a good point on the scale. I was just pointing out that having tons of small dependencies is not free of cost.

There are too many implementations (by design) and the language is such a "mutt" of designs that it will never happen.

I personally don't think that's a bad thing, but it is different to how many languages work.

If there are N ways to write a program, M of which are security hazards, it's better to have M/N of all programs exposed to risk than have a M/N chance that all programs are borked.

"Reinventing the wheel" is a leaky cliché: the problem at hand isn't that people would independently try to come up with the solution to a simple problem (rolling something down a hill), but that the instantiations of a solution would be irrevocably linked, such that one flat tire stops all cars.

What's more - jesus, go outside, look at how many kinds of skateboard wheels, car wheels, bike wheels you see in five minutes time.

http://royka.github.io/2016/05/03/front-end-deps.html

  $ unzip -l /usr/java/jdk1.8.0_77/jre/lib/rt.jar | wc -l
  20138

I'd rather look at comparable thing like JEE server + Spring + some server-side renderer like Thymeleaf.

Try exploding every Jar in the JDK and counting how many class files and resources there are.

[1]: https://github.com/babel/babelify/issues/206

IMO it's a pretty big anti-pattern to do that. It just hides the problem of managing dependencies (see, it's not 10,000 files, it's just one!), but doesn't fix any of the issues associated with it.

Keeping each dependency small, and having tons of them means that deduplication can work better, tree shaking works better, and it lets you do things like swapping out one package for another with the same API.

I would be perfectly fine if npm pulled down "distribution" versions for tools like gulp, typescript et al

Even just for the ability to dive into the source i'm using if i'm debugging something, or be able to look at the actual code i'm running if I want to understand how a tool works.

This is one of the reasons why I like how lodash handles their library. You can install the "regular" version of lodash and require it like "normal", or you can install a single big compiled lodash file, or you can install one that exports as ES6 modules, or you can install a single function at a time...

Obviously every package can't afford to spend that much time on packaging, but a framework similar to that along with some changes to NPM to allow tagging a package as an "alias" of another (so lodash-as-one-big-file will be treated as lodash for other packages) would go a long way into making everyone happy.

SHARED_DIR/npm_modules/NAME/VERSION

When you `require` or `import` a file in node.js, it looks for a node_modules and looks for that name in there. If it can't find it there, it starts walking up the directory tree until it finds something it can use (to a point).

This is hardcoded and will be extremely difficult to change without a crazy amount of breaking.

The package manager is free to install however, but it needs to put things where the package-lookup can find them.

Essentially, all they need to do is:

1. leave the current behavior for backwards compatibility; then

2. provide a flag like npm -G that exposes the correct behavior as suggested in the grand parent of using the same path like SHARED_DIR/node_modules/NAME/VERSION for package imports and package management.

With time, newer npm versions will default to the correct behavior. For folks that need backwards compatibility, this would require explicitly setting a npm --compat flag or similar.

node loads modules in a given pattern. Changing that pattern would be global to your project, and would cause issues with tons of 3rd party tools.

the best possible scenario would be to introduce a "new_node_modules" type directory and change to the new system, then look in "new_node_modules" first, then the legacy "node_modules" next, but that's a ton of work, a ton of 3rd party tool breakage, and a lot of possibility for new bugs and breakage for not all that much benefit.

That's not to say it shouldn't be done at some point, just that there are much bigger areas that need to be addressed sooner in the node ecosystem.

And it's easy to say "even a naive attempt by the average developer" would do it better, but I really don't think they would have.

Still, the fact is that this is what we have, and complaining about what could have been isn't going to do anyone any good, improving the system will.

I try not to think about that JS tooling too hard, lest I start pulling my hair out and devolve into a screaming crazy person.

It's just that this problem can't be solved entirely by npm. Node has to make changes to it's module loader as well.

  node_modules/
    a/
      node_modules/
        c/ (1.0.0)
    b/
      node_modules/
        c/ (1.0.0)
    c/ (2.0.0)

    node_modules/
        versions/
            a@1.0.0
                node_modules/
                    c -> ../../c@1.0.0
            b@1.0.0
                node_modules/
                    c -> ../../c@1.0.0
            c@1.0.0/
            c@2.0.0/
        a -> versions/a@1.0.0
        b -> versions/b@1.0.0
        c -> versions/c@2.0.0

[0]: https://docs.npmjs.com/how-npm-works/npm3-dupe

[1]: https://docs.npmjs.com/how-npm-works/npm3-nondet

Great idea though, and it probably has improved a bunch since then.

This is one of the reasons why I love the JS ecosystem. You can even choose among a few tools you use to install packages from a package manager.

Looks like it is supported now:

https://github.com/alexanderGugel/ied/issues/7#issuecomment-...

I used it successfully in a project and it even worked with native modules.

Maven repositories have following structure, that allows to avoid duplication and take versions into account: /<vendor namespace>/<library>/<version>/<library artifact.ext>

Vendor namespace itself is hierarchical and usually related to domain name, e.g. "com/mycompany/myapp".

No idea, why this approach is not yet used in JS world (except the webjars), but it's high time to fix it this way.

Plus, it started out broken. I had to search elsewhere to find the solution to the error the tutorial produced.

Minify it, run dead code elimination. Exactly as you would with any other language with a compiler.

Also, worth noting that the tutorial being broken isn't symptomatic of JS, that's a problem with Angular (which has a history of sucking, and IMO Angular 2 just takes all of the problems with Angular 1 and adds more baggage to it).

Be aware as well that Angular 2 is a full-fledged Web Framework. Even after all of this compression and such, it is not going to be as lightweight as you'd expect simply due to the nature of what you've installed.

If you want something really lightweight, go with Rivets or React.