Friday, February 12, 2016

Discovery and Quality Services for npm

There are a lots of npm packages around these days (~240k at the time of writing). How to discover the ones you need? Also, how to know which ones are worth using? GitHub stars and forks tell something about popularity, but they don't tell a lot about quality. I've tried to list services I'm aware of in this post:

Discovery Services




Quality Services

I've used Webpack as an example below so you get some concrete data to study:

  • Code Climate
  • bitHound
  • Gemnasium
  • Node Security Project. They provide a tool known as nsp that can be used to check your project against known vulnerabilities.
  • NodeChecker - This tool seems to have stalled. But based on the latest results, roughly only half of all packages have some sort of tests. The real figure might be lower now that npm has grown.
  • allnpmviz3d - This services provides a 3D visualization of npm. You can use it to study dependency graphs in a visual manner.


Mirrors

I managed to find only single mirror. There used to be more, including a EU one. I'm not exactly sure what happened. The current situation is a little worrying at least. Now we are relying on npm infrastructure to work always.


Conclusion

I feel one of the greatest challenges npm is going to face in the near future has to do with discovery and package quality. The amount of packages is growing at a scary pace. I haven't done the math, but it wouldn't surprise me if it broke the limit of 300k packages during this year. It just grows faster and faster.

I hope the lists above help you to evaluate the packages you might want to use in a more objective manner. Spending some time researching can save a lot of time over longer term. Project popularity itself isn't any guarantee of quality. It just tells you that the problem it solves is an important one. Perhaps marketing worked and the project went viral. Maybe more could be done to help the consumers of the packages.

It could be a neat idea to try to combine discovery and quality services in a more concrete manner. I hope we see more innovation in this space as JavaScript keeps getting more and more popular. The quality problem is a very acute one especially as you begin to see JavaScript in the enterprise space.