The Microdependency Tax: How 11 Lines Of Code Broke The Internet
npm hosts over 2 million packages. A blank React app installs 1,487 of them.
This is the Microdependency Tax — paid in supply-chain incidents, security
hours, and the fragility of an ecosystem where 11 lines of code can break
production worldwide.
In March 2016, an eleven-line package called left-pad was unpublished from
npm and roughly half of JavaScript's build systems started failing. The
industry treated it as a quirky anecdote. It was a stress test — and the
ecosystem failed it.
This video traces the structural reason npm grew to 2 million packages
(spoiler: the incentive structure rewards fragmentation), why an average
commercial React or Next.js app pulls 1,200 to 1,800 transitive
dependencies no human reads, the supply-chain incidents that should have
changed everything (event-stream 2018, ua-parser-js 2021, colors and faker
2022), and the quiet correction happening now: Sindre Sorhus reversing
course, and Deno, Bun, and Node shipping native standard libraries that
replace dozens of packages with one binary.
The Microdependency Tax is not a JavaScript problem. It is the visible
edge of a structural failure running at every layer of the modern software
stack.
RELATED VIDEO ON THE CHANNEL
The Great De-bloating: Why Modern Software Is Finally Breaking
CHAPTERS
0:00 The 400 Strangers
0:30 Left-pad Breaks the Internet
1:06 The Microdependency Tax
2:14 Is-Odd and Load-Bearing Absurdity
2:49 The Unauditable Tree
3:46 Event-Stream, ua-parser-js, colors
5:05 Sindre Sorhus Reverses Course
5:32 Deno, Bun, and Native Standard Libraries
6:17 The Tax Nobody Invoices
CONCEPTS AND PACKAGES MENTIONED
left-pad — the 11-line npm package whose 2016 unpublishing broke
Node, Babel, React Native, and most JavaScript build tooling
is-odd — npm package, ~500k weekly downloads, checks if a number is odd
is-number — npm package, ~70 million weekly downloads, dependency of is-odd
kind-of — npm package, transitive dependency of is-number
event-stream — 2018 supply-chain attack; hijacked package exfiltrated
Bitcoin wallet private keys, ~2 million weekly downloads at the time
ua-parser-js — 2021 hijack; shipped a cryptocurrency miner and password
stealer for four hours before takedown, ~8 million weekly installs
colors and faker — January 2022 maintainer self-sabotage; ~20 million
weekly downloads combined; infinite loops broke production builds
Sindre Sorhus — maintainer of hundreds of micro-packages; now publicly
arguing for fewer dependencies and larger standard libraries
Deno — JavaScript runtime with native test runner, formatter, permissions
Bun — JavaScript runtime with built-in HTTP server, SQLite driver, bundler
Node.js — has added native fetch, test runner, and SQLite support
TypeScript utility types — replaces lodash Pick / Omit
structuredClone, crypto.randomUUID, Intl.NumberFormat — web platform
features that used to require multiple npm packages each
FREQUENTLY ASKED QUESTIONS
What is the Microdependency Tax?
The Microdependency Tax is the hidden engineering cost of an ecosystem where
trivial logic is shipped as separate packages. It is paid in supply-chain
incidents, security engineer hours, dependency-audit work, build times, and
disk space — none of which appear on a balance sheet.
Why does npm have 2 million packages?
The registry's incentive structure rewards granularity. Each package is a
separate download counter and a separate line on a maintainer's resume.
Splitting a utility into twenty packages multiplies surface area without
multiplying engineering effort. The economics select for fragmentation.
What was the left-pad incident?
In March 2016, an npm maintainer named Azer Kocoglu unpublished 273 of his
packages after a trademark dispute. One of them, left-pad, was an eleven-line
function used as a transitive dependency by Node, Babel, React Native, and a
large fraction of JavaScript build tooling. Its removal caused worldwide
build failures and exposed how brittle the npm dependency graph really is.
Is npm actually unsafe to use?
npm itself is not unsafe — but the typical npm dependency tree is structurally
unauditable. An average React or Next.js app pulls 1,200 to 1,800 transitive
dependencies. No human reads them. Documented incidents (event-stream,
ua-parser-js, colors, faker) show what happens when a single deep dependency
is hijacked or sabotaged.
Who is Sindre Sorhus?
Sindre Sorhus is one of the most prolific maintainers on npm, the author of
hundreds of small utility packages that sit at the load-bearing center of the
ecosystem. He has more recently begun publicly arguing for the opposite of
what he built: fewer dependencies, larger and vetted standard libraries, and
auditable trees.
#npm #JavaScript #SoftwareSupplyChain #WebDev #SoftwareEngineering