Back to Articles
⏱️4 min read
#npm#javascript#security#software-engineering#technical-debt#security-audit

Explore the hidden costs of the npm ecosystem, from security risks to organizational debt. Learn why your dependency tree might be your biggest technical liability.

The npm Tax: What You Actually Pay

"But it's just one dependency!" — the argument that installed 1,400 packages.

Right then. Let's examine what you're actually purchasing when you run that simple npm install command. In the modern development landscape, we've traded control for speed, and the invoice is coming due.

The Technical Invoice: A Chain of Distrust

One package installs 20. Each of those installs 10 more. When you use create-react-app, you approved one package but received 1,400. Even a relatively lightweight framework like Express.js brings 57 dependencies with it. This is a chain of distrust, growing exponentially with every new addition to your package.json.

Did you vet Express? Perhaps. Did you vet its 57 dependencies? Their dependencies? What about the maintainer three levels deep — the one you've never heard of, whose code processes your user input? Did anyone audit that?

The answer, almost certainly, is no. And the industry has catastrophically decided that's acceptable. This is a systematic violation of IT security principles that have existed for decades:

  1. Never execute untrusted code.
  2. Verify before trust.
  3. Minimize attack surface.

npm violates all three, by design, every single day.

The Organizational Invoice: Delegated Trust

We've seen the consequences of this model time and again:

  • left-pad (2016): 11 lines of code, mass infrastructure failures when it was withdrawn.
  • event-stream (2018): 8 million weekly downloads, cryptocurrency theft via a compromised dependency.
  • ua-parser-js (2021): 7 million downloads, cryptominers injected.

Your security team audits your code. But who audits the 1,400 packages you've delegated trust to? Dependabot and Snyk scan for known vulnerabilities — after discovery. They are selling plasters for a structural wound. In fact, many security companies depend on npm remaining broken to maintain their business model.

npm hosts over 2.1 million packages — the largest code pile on Earth. Over half are effectively unmaintained. You're building on a house of cards where most cards were placed years ago by people who've moved on.

The Systemic Failure: Speed Over Security

Why does nobody question this? Because questioning requires understanding, and understanding requires time.

The modern JavaScript path often looks like this: 8 hours of syntax, then straight into React. This framework-first education means the toolchain is often a black box. You run npm install, it works, and you move on.

Developers sit across from stakeholders who can inject features directly into the sprint. "Can we add this by Friday?" The dependency is just one npm install away. It's difficult to argue for caution under that pressure. Explaining supply chain risk to someone measuring velocity in story points is a losing battle.

In today's industry, shipping fast is rewarded, while shipping secure is invisible. The audit never occurred, and the next sprint has already started.

The Root Cause: A Standard Library Gap

JavaScript shipped without a robust standard library. No HTTP client, no built-in cryptography, and no date formatting that actually works for modern needs.

Rather than fixing the language, npm became the standard library — 2.1 million packages later. Developers install is-odd (which gets 400k weekly downloads) to check if a number is odd. The function is literally one line: return n % 2 === 1.

Compare this to other ecosystems. Python ships with "batteries included." Go and Rust have rich standard libraries. JavaScript, conversely, has mass unverified trust in mass unmaintained code.

The node_modules folder that weighs more than your application is not a feature. It's an invoice.

Conclusion: Reclaiming Control

It is time to stop viewing dependencies as free. Every line of code you didn't write is code you still have to own.

To mitigate the npm tax, we must:

  • Minimize dependencies: Before installing, ask if you can write the logic yourself.
  • Audit your tree: Use tools to visualize and prune unnecessary sub-dependencies.
  • Value stability over speed: Choose well-maintained, battle-tested libraries over the latest trend.

The convenience of npm is a loan with a high interest rate. It's time we started looking at the price tag before we buy.

Originally shared by Vivian Voss

Published on January 05, 2026
← Back to Articles