🚀 Liran Tal

~ 1 min read

npm passes the 1 millionth package milestone! What can we learn?

share this story on
June 4th is a historic date where the millionth package was indexed into the npm registry. npm is a package manager for JavaScript packages.

June 4th is a historic date where the millionth package was indexed into the npm registry. npm is a package manager for JavaScript packages.

We wanted to share some insights that we thought are interesting and could get our hands on

Here are the top 3

  • lodash: 3 vulnerabilities (1 high sev)
  • request: 1 vulnerability (17 typosquatting attempts)
  • chalk 0 vulnerabilities: (1 typosquatting attempt)

How many downloads do the top 10 packages pull in?

  • debug: >40 million weekly downloads
  • kind-of: >34 million weekly downloads
  • supports-color: >34 million weekly downloads

There’s a more detailed article on other registry and community statistics such as how many npm packages were added in 2019? As well as what are some interesting insights from the Node.js Foundation’s package maintenance working group.

Liran Tal is the author of the book Node.js Secure Coding: Defending Against Command Injection Vulnerabilities

The book: Node.js Secure Coding: Defending Against Command Injection Vulnerabilities