Doesn't this happen because of package manager duplication? I think npm lets packages have their own copies of their dependencies. Since we have a lots of small, widely used packages, they get duplicated at numerous points in the dependency graph. The number of files and installation size explodes.
A big part is the development toolchain, which would be installed at a system level for most languages.
I started a vue project last night, npm install --production installs 4 packages. With dev dependencies, I get 2300 packages. Eslint, babel, webpack, etc bring in lots of luggage
BTW, I think 19000 is wrong, on a fresh node_modules I get:
$ npm install gatsby
...
+ gatsby@2.20.18
added 1773 packages from 733 contributors
and audited 23706 packages in 52.317s
$ du -sh node_modules
245M node_modules
Not sure where the "audited" number comes from, but its not the number of install packages. I get 2737 directories containing a package.json, 1477 of which are uniq.
In the article 19000 packages are installed in 40 seconds... My Django project with 100 times fewer dependencies takes longer in CI
Npm comes with an audit tool
I have never seen dependency resolution fail (since packages can have private copies), unlike pypi or rubygems.
So some of the downsides to a large dependency tree are mitigated. I'll add one more downside:
- more chances for shenanigans like left-pad to cause issues.
Don't get me wrong, I think 19000 dependencies is fucking nuts. NINETEEN THOUSAND.