How to make a well informed decision before adding a NPM dependency to your project

When doing front-end development, you might come at a point where you want to use a 3rd party library to make the developer experience a bit better. It is, however, good to do some research before including a library or framework. Some libraries may not be actively maintained or add a lot of extra dependencies which you do not need or want.

10 Point Checklist

I have composed a checklist to make a well informed decision, before adding a library:

1. How much effort is it to build it myself - is it really necessary to include the library?

2. What alternative libraries/frameworks can be used?

3. What is the performance compared to the alternatives?

4. How big is the library - also compared to the alternative libraries?

5. How many dependencies is the library depending on?

6. How many Github stars, contributors, issues has the library?

7. When was the last update?

8. Does the library have automated (unit) tests with a high coverage and sufficient expect / assert statements?

9. Are there any issues? If none then probably nobody uses it. If there are a lot of open issues, then how long ago has there been updates on these issues?

10. Is there any documentation? And is it up-to-date? And is it sufficient to start using and also understanding the library?

NpmCompare

To make research a bit easier and faster, there is a nice website, called npmcompare, which you can use to compare npm packages with each other.

The other day I was investigating which library I wanted to use to do decimal number calculations, I was considering Bignumber.js, big.js, decimal.js and decimal.js-light. With the use of npmcompare it’s easily see some basic github information side by side: npmcompare.com/compare/big.js,bignumber.js,decimal.js,decimal.js-light

Another example where I used npmcompare is: npmcompare.com/compare/concurrently,npm-run-all,parallelshell

Be careful

Depending on libraries or frameworks always introduces a risk. Please read the following articles to understand how depending on libraries can go wrong:

• theregister.co.uk/2016/03/23/npm_left_pad_chaos/

• hackernoon.com/im-harvesting-credit-card-numbers-and-passwords-from-your-site-here-s-how-9a8cb347c5b5

NPQ

When using 3rd party libraries, consider using NPQ to auditing them as part of your install process to prevent the usage of malicious packages. NPQ checks the snyk.io database if the library has any vulnerabilities and also checks things like age and download count of the package. It will also do synthethic checks, like checking pre- and postinstall scripts that can potentially do harm to your system.