https://mikelayuso.com/tags/javascript/JavaScriptHugoBlox Kit (https://hugoblox.com)en-usSun, 17 May 2026 00:00:00 +0000https://mikelayuso.com/media/icon_hu_b0970716f810afd6.pnghttps://mikelayuso.com/tags/javascript/https://mikelayuso.com/blog/microdependency-tax/Sun, 17 May 2026 00:00:00 +0000https://mikelayuso.com/blog/microdependency-tax/<p>One thing I highlighted in my almost as an afterthought: the Rust binary ships with <em>no runtime dependencies</em>. Download it, run it, nothing to install. The more time I spend across C/C++, Rust, and Godot, the more that property looks less like a convenience and more like a design goal worth chasing on purpose, because the alternative has a cost.</p> <h2 id="the-incident">The incident</h2> <p>A perfect example in the JavaScript ecosystem is what happened on March 22, 2016. Azer Koçulu published a small npm package called <code>left-pad</code>, 17 lines that padded strings on the left. When Kik Messenger wanted the package name <code>kik</code> for their own use, npm sided with the company and transferred ownership away from Koçulu. In protest, he unpublished all 273 of his packages. When <code>left-pad</code> vanished, Babel and React Native broke. Thousands of projects at Facebook, PayPal, Netflix, Spotify and many others stopped building. Not because of a sophisticated attack. Because a justifiably angry maintainer deleted code he had written for free.</p> <h2 id="how-the-ecosystem-got-here">How the ecosystem got here</h2> <p>npm hosts over 4 million packages, not a measure of creativity, but of incentive. Each package is its own GitHub repo, its own resume line, and its own download counter. The ecosystem rewards fragmentation, because each successful package is a credential with a counter attached, and the ecosystem has never learned to care what the counter is counting. The result is packages like <code>is-odd</code>, which checks whether a number is odd, depending on <code>is-number</code>, depending on <code>kind-of</code>. Three packages, three maintainers, three supply chain entry points for a question you can answer in one line. A typical React or Next.js app pulls between 1,200 and 1,800 transitive dependencies. No human reads them. When I&rsquo;m building something in Godot, I don&rsquo;t <code>npm install physics</code>, the engine ships with it, one curated trust boundary maintained by a team. That contrast is hard to unsee.</p> <h2 id="the-real-risk">The real risk</h2> <p>Tools like Snyk scan for <em>known</em> vulnerabilities, by definition, ones that have already burned someone else. What they don&rsquo;t catch: a package three levels deep maintained by someone who hasn&rsquo;t logged in years, whose npm account gets taken over by an untrusted maintainer, who publishes a new version with a helpful postinstall script that reads your environment variables. This isn&rsquo;t hypothetical. In 2018, <code>event-stream</code> was handed off to a stranger who volunteered to help, then used that access to exfiltrate Bitcoin private keys, downloaded 2 million times a week for two months before anyone noticed. In 2022, the maintainer of <code>colors</code> and <code>faker</code> pushed a self-sabotaging update as a protest. No hack, no zero-day. A maintainer in a bad mood, 20 million weekly downloads, production builds broken overnight. These aren&rsquo;t bugs in the trust model. They <em>are</em> the trust model.</p> <h2 id="the-correction">The correction</h2> <p>Sindre Sorhus, the person more responsible than anyone for the small-modules culture, now publicly argues for fewer dependencies and bigger standard libraries. Node already added native fetch, a test runner, and SQLite without a single install in the last few years. The platform is starting to absorb what fragmentation spread. The instinct to keep surface area small, to understand what runs in your process, isn&rsquo;t NIH (Not Invented Here) syndrome. It&rsquo;s engineering. The JavaScript ecosystem spent 15 years treating it as optional. The supply chain incidents are the cost.</p>