And that it is not even the worst I have seen.
I think the worst offenders are development tools like webpack.
I have a small project that I work on from time to time which uses 5 libraries (react, a map library and a chart library), typescript, and react-scripts (which I guess pulls in webpack and all the rest).
This is what happens when I run a npm audit (I havent' touched it for a couple of months)
> found 38934 vulnerabilities (38916 low, 18 moderate) in 906346 scanned packages
> run `npm audit fix` to fix 38620 of them.
> 314 vulnerabilities require manual review. See the full report for details.
While the real numbers are probably lower because there is a lot of duplication inside the node_modules folder, I find this ... astounding.
Javascript doesn't have a standard library (something a lot of languages provide), and nodejs's built-in functions library are... lacking. Also, the culture of providing small packages, being around for longer, and so on and so forth...
I have a project I haven't even started yet in Rust. Three dependencies in Cargo.toml. They download and install 34 dependencies.
I've now added three more (from kube-rs readme). It's now 197 dependencies. And so on.
The largest, and not exactly admirable, I can find is reqwest that drags in 97.
Whilst 100 is a huge number... It's an enormous gap from the many thousands.