Please Stop With MicroLibraries NPM

TL;DR

Treat micro-libraries as operational and supply-chain risks, not harmless convenience code, because dependency graphs amplify small removals into large outages.

Briefing Cornell Notes

Briefing

Micro-libraries—tiny, single-purpose npm packages—should be avoided because every added dependency multiplies failure points across security, compatibility, performance, and maintenance. The left-pad incident from 2006 is the cautionary tale: a trivial package that trimmed strings became a system-wide outage when it was removed after a dispute, breaking thousands of downstream projects and even taking major services offline. That history matters because it reframes “small utilities” as supply-chain and operational risks, not harmless convenience.

The core argument goes further than “don’t use dependencies.” It lays out a framework for weighing libraries’ costs and benefits and claims the balance often tilts negative for micro-libraries. Benefits are real—libraries can save development time, provide more robust implementations, and deliver ongoing security and bug fixes maintained by others. But those upsides depend on the library being a good fit, mature, widely used, and stable under upgrades. Costs start immediately: a dependency can be a poor match, force awkward adaptations, introduce bugs or bad APIs, and trap teams in abstractions that make upgrades painful. Even when code is correct, updates are unpredictable—breaking changes, deprecated functions, performance regressions, and bundle-size growth can arrive without warning.

A major theme is that dependency risk is not limited to the direct package. Transitive dependencies quietly expand the attack surface and inflate the project footprint. In JavaScript ecosystems, node_modules bloat is common: routine updates can multiply storage and download sizes, increasing install times, build times, and user bundle sizes. The discussion points to initiatives aimed at cleaning up dependency sprawl, but also notes that even cleanup efforts can be undermined by the same heavy dependency patterns.

Security concerns are treated as supply-chain realities. Installing packages can execute scripts during npm install, and every dependency is a potential vector for malicious or compromised code. Vendoring can reduce exposure to future installs, but it doesn’t eliminate the need to vet and re-vet when updates happen. The transcript also highlights how version ranges and tooling behavior can lead to unexpected upgrades, meaning teams may not fully control what code ends up in production.

To make the case concrete, the transcript dissects the npm package “is-number,” a micro-library that checks whether a value is a finite number or a finite non-empty numeric string. The analysis argues it provides little practical value over straightforward, easily verified code, and it introduces definitional ambiguity—some users consider numeric strings “numbers,” others don’t. Once multiple major versions appear, semantic versioning assumptions break down in practice, and duplicate implementations become a discoverability and maintenance problem.

The closing message shifts from risk management to developer capability: libraries are not magic, and fear of bugs or edge cases often drives people to outsource simple logic. The transcript encourages writing small pieces of code directly—sometimes even copy-pasting from sources like Stack Overflow—because debugging and understanding one’s own code is easier than treating third-party utilities as black boxes. The overall takeaway is that micro-libraries trade away control for convenience, and the convenience rarely justifies the compounded cost.

Cornell Notes

Micro-libraries on npm are treated as a net liability because each dependency increases the odds of breakage, security exposure, and maintenance overhead. The left-pad incident is used to show how a tiny utility can cascade into widespread outages when removed or changed. A cost-benefit framework is offered: libraries can save time and bring robustness and security updates, but micro-libraries often provide minimal real value while creating upgrade risk, transitive dependency bloat, and supply-chain attack surface. A detailed example—“is-number”—illustrates how tiny helpers can be redundant, introduce definitional disputes, and multiply versions. The conclusion pushes developers to write and verify simple logic themselves when the upside is small.

Why does a “trivial” npm package like left-pad become a system-wide failure?

The left-pad incident shows that downstream projects often depend on tiny utilities without redundancy. When the package was removed after a dispute, thousands of projects that listed it as a dependency couldn’t build or install. The impact wasn’t limited to one app: major tooling and frameworks (including Babel and React) were affected, and even large services like Netflix reportedly went down. The key point is that dependency graphs turn small changes into large outages.

What are the main benefits of using libraries, and when do they actually hold up?

Libraries can save development time, especially for complicated problems, and mature libraries may handle more edge cases. Widespread usage can also make implementations less likely to be wrong, and updates can deliver security patches, bug fixes, and new features with minimal compatibility breakage. Those benefits are strongest when the library is a good fit for the team’s requirements and when upgrades are predictable and well-managed.

What costs show up even if a library is correct and popular?

Costs include poor fit (forcing the app to adapt to the library), upgrade pain (breaking changes, deprecated APIs, rewrites, performance regressions, and new bugs), and the fact that developers can get trapped in abstractions built around a dependency. The transcript also emphasizes that “robustness” isn’t the same as “perfect for your use case,” and that third-party code can be risky because teams can’t fully see or control what’s inside.

How do transitive dependencies and footprint bloat change the risk profile?

Transitive dependencies mean that adding one package can pull in many more, each with its own vulnerabilities and maintenance burden. In JavaScript, node_modules bloat is common: routine updates can invisibly multiply the footprint, increasing install and build times and inflating bundle sizes. The transcript cites an example where node_modules contained hundreds of megabytes of JSON and that automation runs repeatedly downloaded that amount, illustrating how waste compounds over time.

Why is “is-number” used as an example against micro-libraries?

The package is positioned as a single-function helper that checks for finite numbers or finite non-empty numeric strings. The critique is that it barely saves development time because the logic is straightforward to write and verify. It also creates definitional ambiguity: whether a numeric string “counts” as a number depends on requirements, so different teams may disagree. Finally, multiple major versions can coexist, and semantic versioning assumptions may fail in practice, leading to duplication and discoverability problems.

What’s the practical alternative proposed for micro functionality?

For tiny utilities, the transcript argues for copy-pasting or writing the code directly into the codebase. The reasoning is that developers can then debug and log within their own code, audit behavior more easily, and avoid black-box surprises. It also notes a licensing caveat (e.g., GPL implications when copying code), but treats it as manageable compared with the ongoing operational and security costs of micro-library dependencies.

Review Questions

What specific failure modes does adding a dependency introduce beyond “more code to maintain”?
How does definitional mismatch (e.g., what counts as a “number”) undermine the value of a micro-library like “is-number”?
In what ways do transitive dependencies and version ranges make dependency risk harder to control?

Key Points

1
Treat micro-libraries as operational and supply-chain risks, not harmless convenience code, because dependency graphs amplify small removals into large outages.
2
Use a cost-benefit framework: libraries can save time and provide robustness, but micro-libraries often deliver minimal upside relative to upgrade and maintenance costs.
3
Assume upgrades are unpredictable: breaking changes, deprecated APIs, performance regressions, and new bugs can arrive even when versioning looks compatible.
4
Account for transitive dependencies and node_modules bloat; footprint growth increases install/build time and can inflate user bundle sizes.
5
Recognize that npm install can run scripts, making supply-chain attack vectors part of the threat model for every dependency.
6
Avoid definitional ambiguity by writing simple logic in-house when requirements are narrow or subjective (e.g., whether numeric strings count as numbers).
7
Build confidence by debugging and auditing your own code; fear of edge cases is often a reason people outsource simple logic unnecessarily.

Highlights

Left-pad’s removal showed how a tiny string utility can cascade into thousands of broken builds, including major tooling and services—proof that “trivial” dependencies can still be catastrophic.

A dependency’s cost isn’t just the package itself: transitive dependencies and node_modules bloat can multiply footprint, install time, and security exposure.

The “is-number” example targets micro-libraries that are redundant and introduce definitional disputes, leading to duplicated versions and maintenance overhead.

The closing stance is capability-focused: libraries aren’t magic, and writing/debugging simple logic directly is often easier than treating third-party helpers as black boxes.

Topics

Micro-Libraries
Dependency Risk
npm Supply Chain
Transitive Dependencies
Cost-Benefit Libraries