I don’t believe “13,000 dependencies” is counting the right thing at all. In actual fact, I think the number is only 756 or 691, depending on how you count it.<p>If you look at the eventual package-lock.json and filter it to just lines containing “resolved”, it’s only 756 lines, because it does plenty of deduplication. I don’t have the time to waste on installing it all myself to check, but I <i>think</i> it fails to deduplicate some that could theoretically be deduplicated, because of incompatible versions: I <i>think</i> that if you have dependencies <i>a</i> → <i>x@1</i>, <i>b</i> → <i>x@2</i>, <i>c</i> → <i>x@1</i> and <i>d</i> → <i>x@2</i>, it’ll pick one of those versions of <i>x</i> (no idea how it chooses—first it encounters, perhaps?) to sit at the top-level node_modules, and any packages that need another version will install their own version, so that in this situation you might get node_modules/x (version 2, used by b and d), node_modules/a/node_modules/x (version 1) and node_modules/c/node_modules/x (version 1, again). I say this based upon very vague recollections of things I read and interacted with years ago, and the structure of package-lock.json; I may be wrong in the details of it.<p>This way of having multiple copies of the same version of the package is the difference between 756 and 691—there are 65 exact duplicates.
For example, you get debug-2.6.9 at the top level, and then within other dependencies, you get three copies of debug-3.2.6, and five of debug-4.1.1. That’s just one example. There are eight copies of four different versions of kind-of. After excluding these exact duplicates, there are then another 67 cases of multiple versions of the same package being installed (kind-of’s four versions is the most).<p>A few days ago I looked at a case that was double the size of all this: <a href="https://news.ycombinator.com/item?id=23488713#23490055" rel="nofollow">https://news.ycombinator.com/item?id=23488713#23490055</a>.<p>When you get duplicates with incompatible versions like this, it strongly implies unmaintained, or occasionally incorrectly maintained, software. If they all got their act together and simply updated to the latest version of all their dependencies, the number of packages you’d install would not exceed 624.<p>Look, it’s still a lot, and I scorn many of them as unnecessary and oft counterproductive frivolities, and there’s way too much overlap in many of them; but 13,000 is just a shock number that doesn’t represent what people expect it to represent, or match what they’re concerned about.<p>(Also this number doesn’t mean you’re taking code from over six hundred sources; some things are just split up into multiple packages because they genuinely are separate concerns; for example, there are 93 packages named @babel/*, indicating first-party code from Babel.)