Arkanic

is-useless

A useless npm package

Why?

It seems like whenever you install an npm package, you seem to get a boatload of dependencies. I'm not complaining about this, specifically, as I realise that the whole point of libraries is so that people don't have to re-invent the wheel. However, i'm not complaining about the existence of dependencies, rather the useless ones that larger packages seem to be full of.

It's packages like is-odd that are sort of annoying. Basically this package returns true is a number is odd, and false if a number is even. The exact same functionality can be achieved with this line of code:

x%2!=0

Npm is full of useless packages like these. This thread seems to sum it up.

It's not just random aggression towards the fact that these small packages exist, either. It's a real security risk. Your average node.js project has hundreds of packages in node_modules, so if one of them suddenly decided to go rogue, it would take some time before people noticed. This isn't just a hypothesized event either. Things like this have actually happened before.

left-pad

left-pad was just one of your average packages that achieved almost nothing and installed even more dependencies. It was owned by Azer Koçulu. Koçulu was one of those people who steamroll out tiny packages like this, and had over 200 of them.

Koçulu also had another package called Kik. Apparently this package caught the attention of a chat application with the same name, and lawyers forced him to take the package down. In a fit of rage, Koçulu took down all 200+ of his npm packages.

The package left-pad was taken down among all of his other packages. This is the code for left-pad.

module.exports = leftpad; function leftpad (str, len, ch) { str = String(str); var i = -1; if (!ch && ch !== 0) ch = ' '; len = len - str.length; while (++i < len) { str = ch + str; } return str; }

Not much, right?

Except for the fact that massively used packages including node and babel used it. The badly stacked brick tower that was npm collapsed.

Some of the results can be seen here, here, and here.

Don't get me wrong. I think npm is an amazing tool that allows people to make tools that they would not have been able to achieve on their own. I use it a lot myself. I'm just concerned that there is something inherently dodgy about how if one small package like left-pad breaks, titans like node and babel have the potential to go down with it.

This is why I made is-useless. It's a useless npm package that simply exists. It can be installed, and it's functionality probably won't change too much.

So why not install? (There is every reason why you shouldn't)

npm i is-useless

Footnote: for some reason the package has gotten a ridiculous amount of downloads (350 in one day), and I think it's been botted

it wasn't me, so someone really likes this package for some reason.

Comment Form is loading comments...