If we're going to call a spade a spade, then let's go ahead and say that the majority of the packages that are always referenced in those discussions (is-even, is-odd, etc) is maintained and primarily used by a minority of developers that are very well known in the ecosystem.
This minority makes money out of their popularity in the NPM ecosystem. Having 1000 NPM packages is better for your reputation than having 100. And having all 1000 packages with lots of weekly downloads is better than having just a portion of that.
But how do they achieve that? Well, they have 1000 NPM packages, so each one depends on 5 to 10, that then depends on a few handful more. You have packages for checking if an HTTP status is a certain number, you have packages that have colors as constants, you have is-even, is-odd and so on. All that exists to maintain that closed ecosystem.
So out of the 1000 they basically have 20 useful tools and 980 garbage packages that exist only to maintain their own ecosystem.
Most people isn't using is-even or is-odd directly. They imported some other packages that are quite useful, but often need 10-20 sub-dependencies. Another interesting thing is that those shitty packages aren't really that important in applications. They're often used in build tools, CI and testing, tools for making CLI tools, and the sort.
The crazy thing is that a lot of people using is-even/is-odd aren't really "noobs": they're probably experienced developers that said "fuck it, I'll use some random tool from the web" when facing some random a problem.
That's a more charitable (and more reassuring) interpretation than "developers don't know the modulo operator".
That said, it still leaves a sour taste as this effectively implies that a certain set of JS developers is very happy to abuse their (maybe initially rightfully earned) prestige to gain even more prestige while leaving behind a mess for the whole ecosystem. I don't understand why this is tolerated. The Node community needs to have a serious discussion about why certain packages are allowed to spread garbage, create forks of the relevant packages that rip out "is-even" etc. and then eventually converge to these forks. But to this day, I don't see the community taking this problem seriously enough.
Now, supply chain attacks and "too many dependencies" are a potential issue for every language with dependency management (see also log4j, etc.), but no other ecosystem seems to be have such a high frequency of issues and (widely used) "is-even" packages are simply not a thing in any other mainstream language (some languages, like Swift, include similar functionality in the standard library, which is totally fair).
The reason it is tolerated is because the philosophy of "thousands of small packages" has spread far and wide.
For every person calling it out like we're doing here, there are ten others praising maintainers able to whip ten semi-useless packages per week.
It's not just random maintainers making small packages. The core infrastructure of Javascript is in it. Babel is made of hundreds of packages, which all live on the same repository (because of course the maintainers don't want the hassle of maintaining multiple things). Some of those packages don't even have anything of importance in it, just metadata, a couple flags and some boilerplate [1]. The package is just a way of organizing code. Webpack, ESLint and others aren't exactly better.
You're tacitly giving the people you despise leverage when you say things like:
> The core infrastructure of Javascript is in it. Babel[...]
Babel is not core JS infrastructure. It may be close to fundamental to the modern NodeJS development experience, but JS exists happily (and capably) without any of that stuff (including package.json, for that matter).
Fair enough! True, Babel is only "core" for a subset of JS developers, not for the language.
I don't really despise anyone in Babel, though, I'm only criticising their packaging method. Babel isn't doing the million-packages thing to gain popularity.
> Having 1000 NPM packages is better for your reputation than having 100. And having all 1000 packages with lots of weekly downloads is better than having just a portion of that.
Should we treat them as spammers and polluters, then? Because if what you describe is true, that deserves to be called out and mowed to the ground.
It is more akin to SEO spamming than black market spamming, though. They're polluting NPM in the same way SEO farms spam Google. It makes life difficult for everyone, but it's still a gray area in terms of legitimacy. Which is why nobody really talks about it.
I don't know if this is true, but if it were true you'd have a veritable "tragedy of the commons" [0] situation were privatization of (some) gains leads to the creation of negative externalities for the rest.
If incentives were aligned differently, different results might have resulted. Probably with different externalities (or unintended consequences).
> Most people isn't using is-even or is-odd directly. They imported some other packages that are quite useful, but often need 10-20 sub-dependencies.
IMO, that's even worse, because that means that a lot of people are using stupid and vulnerable packages without knowing it.
I wish there was some sort of better control over the NPM directory, where someone could block/downvote (or whatever) packages that doesn't deserve to live. How this would - or should - work in practice, I have no idea, but it's just getting scarier by the day to import a package in your application.
What if we focused on fixing all the problems, and not just retreating thinking that "we can't solve this problem, because there are so many other problems related to it"?
Your thinking is literally the definition of the problem.
A few developers will register multiple packages that are essentially the same package with small tweaks. They choose the names in a way to get the right keywords to hit from npmjs's search
This minority makes money out of their popularity in the NPM ecosystem. Having 1000 NPM packages is better for your reputation than having 100. And having all 1000 packages with lots of weekly downloads is better than having just a portion of that.
But how do they achieve that? Well, they have 1000 NPM packages, so each one depends on 5 to 10, that then depends on a few handful more. You have packages for checking if an HTTP status is a certain number, you have packages that have colors as constants, you have is-even, is-odd and so on. All that exists to maintain that closed ecosystem.
So out of the 1000 they basically have 20 useful tools and 980 garbage packages that exist only to maintain their own ecosystem.
Most people isn't using is-even or is-odd directly. They imported some other packages that are quite useful, but often need 10-20 sub-dependencies. Another interesting thing is that those shitty packages aren't really that important in applications. They're often used in build tools, CI and testing, tools for making CLI tools, and the sort.
The crazy thing is that a lot of people using is-even/is-odd aren't really "noobs": they're probably experienced developers that said "fuck it, I'll use some random tool from the web" when facing some random a problem.