And that it is not even the worst I have seen. I think the worst offenders are development tools like webpack.

I have a small project that I work on from time to time which uses 5 libraries (react, a map library and a chart library), typescript, and react-scripts (which I guess pulls in webpack and all the rest).

This is what happens when I run a npm audit (I havent' touched it for a couple of months)

> found 38934 vulnerabilities (38916 low, 18 moderate) in 906346 scanned packages

> run `npm audit fix` to fix 38620 of them.

> 314 vulnerabilities require manual review. See the full report for details.

While the real numbers are probably lower because there is a lot of duplication inside the node_modules folder, I find this ... astounding.

Javascript doesn't have a standard library (something a lot of languages provide), and nodejs's built-in functions library are... lacking. Also, the culture of providing small packages, being around for longer, and so on and so forth...

I have a project I haven't even started yet in Rust. Three dependencies in Cargo.toml. They download and install 34 dependencies.

I've now added three more (from kube-rs readme). It's now 197 dependencies. And so on.