2 points | by monarchwadia 12 hours ago ago
3 comments
In an environment with so many supply chain attacks, this is scary. You can't help but be exposed to supply chain attacks with this kind of philosophy.
Looks like 122 when it's all installed
Seems it's 1078 total dependencies. Only 2 prod dependencies, but as we saw with recent attacks, dev tooling is an attack surface.
I ran this script to count all packages in package-lock.json:
node -e ' const lock = require("./package-lock.json"); const entries = Object.entries(lock.packages || {}).filter(([k]) => k); // skip root "" const c = { prod: 0, dev: 0, optional: 0, peer: 0, total: 0 }; for (const [, p] of entries) { c.total++; if (p.peer) c.peer++; else if (p.optional) c.optional++; else if (p.dev) c.dev++; else c.prod++; } console.log(c); '
{ prod: 2, dev: 955, optional: 113, peer: 8, total: 1078 }
In an environment with so many supply chain attacks, this is scary. You can't help but be exposed to supply chain attacks with this kind of philosophy.
Looks like 122 when it's all installed
Seems it's 1078 total dependencies. Only 2 prod dependencies, but as we saw with recent attacks, dev tooling is an attack surface.
I ran this script to count all packages in package-lock.json:
Output: So, 1078 total dependencies.