PackagePhobia – Find the cost of adding a new dev dependency to your project
30 comments
·March 20, 2025hsbauauvhabzb
viraptor
There's no way to automatically establish those costs, considering that if you want some of that functionality, you take that cost on yourself too.
aragilar
I would have thought it would show how big the dependency tree was.
fmajid
And a count of historical CVEs in its transitive graph.
ChrisMarshallNY
CVEs might not be the best metric, alone.
Many large, mature, and solid packages could have long histories of resolved CVEs.
m463
> In what world
the land of spherical cows...
reminds me of https://www.folklore.org/Negative_2000_Lines_Of_Code.html
null
bayindirh
...explains a lot of things about the current state of the JavaScript, Python, Rust and Go ecosystems.
Here, FTFY.
IOW, having a package manager in your programming language is a boon and a curse, but more of a latter. People just add a single line to their dependency list, and pull in the literal world. As long as their code runs the way it should, nobody, I mean, nobody cares.
This is a huge problem.
hsbauauvhabzb
At least with python you can get away with an awful lot without pulling in random packages. I use python repl and scripts daily, and seldom use pip (apt repos I’m fine with)
wolvesechoes
"...explains a lot of things about the current state of the JavaScript, Python, Rust and Go ecosystems."
The difference is that with Go or Python you can, if you decide to, do quite a lot without either pulling random stuff from the internet or making your own implementation from scratch, due to extensive standard libraries.
jcelerier
> People just add a single line to their dependency list, and pull in the literal world.
So do you prefer the situation in c++ where you just add one dependency, like "boost" or "Qt" and it still pulls in 15M lines of code but now it's just "one" dependency instead of 150?
ChrisMarshallNY
BTW: Most compiled languages have good linkers and postprocessors. They strip out unused executable.
The compile might take a while, but the resulting binary may not be as big as you think.
This does not apply, however, to interpreted languages, like JS.
Not sure about "JIT" languages, though, like Python and PHP.
bayindirh
No, I prefer to find and vendor in single libraries which do not come with 15M lines of code. Like Eigen.
On the other hand, you can introduce Qt modularly, so you don't have to import all of them. Same for Boost, though I don't use either.
I write Go and use Uber's zap for logging. It pulls in uncomfortable amount of code, too. Until I can find something better, I'll continue using it, but I'm not comfortable with it.
However, in C++ land, I was able to use standalone libraries like Catch or Eigen which were big, but not unwieldy, and Eigen is also as modular as Boost. So you know what you include and what you do at the end of the day.
I'm a big fan of standalone source code repositories which vendor minimum number of libraries (which I strive to develop, too). You need GCC and glibc only. Just make it, use it. "No hidden fees, no games", I may say.
wolvesechoes
Yes.
Even ignoring the fact that no one forces you to add whole Qt to your project, do not compare Qt, which is a battle-tested, long-lived framework, developed and maintained for decades by the company that also provides commercial support for it, with a bucket of intermingled crap sourced from random repositories across the internet.
ChrisMarshallNY
Which also shows the issue with using size as the only metric.
Boost and Qt are very solid systems. They have well-deserved, excellent reputations. In order for this tool to be useful, it would need to have a “reputation score,” that relies on more than GH stars and social media buzz.
That said, I am not a fan of doing something like adding 1MB to a page load, so you can animate a button press; even if the dependency is reputable.
Sometimes, it makes more sense to reinvent the wheel, as opposed to bringing in an 18-wheeler.
robinsonb5
I find this problem much easier to talk about face-to-face - my catchphrase on th subject involves gestures: "All we've done is trade this kind of complexity <holds hands about two feet apart, vertically> for this kind of complexity <holds hand about four feet apart horizontally>.
stoicjumbotron
Based on this talk by TkDodo (TanStack Query maintainer): https://youtu.be/8-RTNnn9GR8?t=255 https://bundlejs.com/ is the better alternative to check your dependency sizes with
cebert
I appreciate the concept, but there are additional costs that would be great to consider. How frequently do you need to parch the package to address CVEs? How many downstream dependencies does this package have? How often do they make breaking changes?
mrlatinos
I thought this was language agnostic. Should probably make it more clear that it's for JS.
jensenbox
I agree 100% - this needs to be renamed if it is not agnostic.
spankalee
Looking at some packages that I maintain, I think the sizes might be off, but I'll have to dig in more later.
I wonder if it's handing export conditions properly? We have browser, node, developer, and types exports. Are the files behind quadruple counted?
radicalriddler
They says sponsored by Vercel and Upstash, but in the repo, it just says hosting and database "sponsored" by them. Are they just using the free tier???
radicalriddler
Frankly bundlephobia gives me more information that I care about... "How much is the end user going to have to download, parse and execute".
pcthrowaway
This is somehow slower and worse than bundlephobia. Was bundlephobia an improvement on this concept or is packagephobia just a cheap knockoff?
mubou
I like how the graph shows the change in size per version.
"Publish size" is a little misleading though. I thought that meant the size that would be included in my bundle when I publish my app, and was wondering how you were calculating that. Maybe "w/ deps" "w/o deps"?
I'd appreciate you not hiding information below the fold. Really hate that design trend. Remove the `min-height: 100vh` and see how much better it looks (with a bit of padding). At least make it 90vh.
ycombinatornews
How is this different from bundlephobia?
silverwind
bundlephobia counts loaded code size, this counts total package size.
imoreno
Does anyone know something like this, but for other languages like Python?
worthless-trash
Useless, doesn't even know what glibc is.
In what world does cost mean file size and not consider financial cost, patching, security auditing, debugging, and the cost of finally ripping it out when everyone agrees retrospectively that it was a mistake to include in the first place.
Come to think of it, the shortcoming of the description explains a lot of things about the current state of the JavaScript ecosystem.