There is no doubt, you have probably used npm in your project at least once. npm helps us with finding, installing and updating various project dependencies and packages. There are few things to keep in mind while searching for an npm package and before installing the npm package:
- Does the package have any vulnerabilities?
- Is the package being maintained?
- Does the package have bugs that will affect my use-case?
- Is the package size acceptable?
- How does it compare to similar packages?
Does the package have any vulnerabilities?
As we’ve seen before, npm packages can become a target for various attacks and malicious code injections. Although npm audit and npm audit --fix does a good enough job of tracking and fixing vulnerabilities, you can use snyk.io to search for the package in their vulnerabilities database before even installing the package.
Is the package being maintained?
Simplest way of checking if the package is being actively maintained by the author or the community is to simply go through the version history and see how often the package is being updated. It’s also good to check the issues section on the github and see if author is actively working on fixing bugs reported by the users.
Does the package have bugs that will affect my use-case?
Similarly to the previous item, you can check the issues section on github and see if there are any active issues or bug reports that apply for your use case. Few examples of these issues are: conflict with another package, edge-case issue, specific performance issue, etc.
Is the package size acceptable?
Sometimes, a package can have dependencies that increase the package size dramatically and which, in turn, will affect our website/app size and performance. In order to avoid this, you will want to check the bundle size on
Bundlephobia and see if this fits your size and performance requirements.
How does it compare to similar packages?
Often times, you might find multiple packages that fit your requirements. In those cases, you would want to compare them side-by-side and determine which package truly fits your needs, is regularly maintained and is widely used.
One of those tools is npm compare. It shows a highly-detailed side-by-side comparison of two packages and it highlights which package is the best in each metric (issues reported, average time for updating, size, etc.).
Another useful tool is npm trends npm trends which shows package popularity over time and simple, less-detailed comparison.
Anything else to be aware of?
Feel free to post in the comments if you take into account some other criteria when searching and selecting an npm package.
These articles are fueled by coffee. So if you enjoy my work and found it useful, consider buying me a coffee! I would really appreciate it.
Thank you for taking the time to read this post. If you've found this useful, please give it a ❤️ or 🦄, share and comment.
Top comments (3)
Great post summing up all the points for decision making :)
Just want to add one more point:
Version Compatibility
Sometimes we also need to check if the package and the dependencies will not conflict with our project dependencies versions.
Thank you. I have included your comment in the article.
Very useful, thanks!