[bfred_it]

> This doesn't scale easily when you consider the volume that places like NPM have.

Found the blanket statement for npm.

How about instead of reviewing 1 library of 10k lines that does everything, you review 10 focused modules for a total of 1k lines?

Also modules like left-pad don’t change that often so you probably have to review only changes in the top modules.

We need to stop this mentality that dependency count should be low. Look at total LOC and you’ll probably find that it’s not as bad as people like to paint it.

[nfm]

A high dependency count does increase your vulnerability surface area. All it takes is one weak or reused password on an account without 2FA enabled for a malicious package to be uploaded. You're more vulnerable to this when you depend on more individual publishers to get it right.