NPM Smell 🍑💨

trivial and outdated NPM packages

Searching 32 entries

Best of:

is-stringtrivial

Checks if a value is a string.

28,486,691
Weekly Downloads
32 (17 distinct)
Dependencies

isarrayoutdated

Checks if a value is an array.

85,996,167
Weekly Downloads
0
Dependencies

is-windowstrivial

A convoluted way of checking process.platform === "win32"

13,272,004
Weekly Downloads
0
Dependencies
 all packages

About

NPM Smell aims to reduce the impact of supply chain attacks in the NPM ecosystem.

It does this by highlighting trivial or outdated dependencies with high download counts, enabling maintainers to remove them.

Why?

Security. NPM contains many trivial or outdated packages that are downloaded millions of times, making them prime targets for supply chain attacks.

Attackers often exploit the fact that trivial or outdated packages are essentially complete and require minimal maintenance. When maintainers lose interest or no longer have time to maintain them, attackers often act in good faith by proposing to take over the project, before publishing malicious updates.

What are trivial or outdated packages?

Trivial

Trivial packages provide functionality that should be common knowledge for most JavaScript developers. For example, checking if a value is an array or a number is odd. Despite their simplicity, these packages may introduce additional dependencies, unnecessarily increasing the attack surface.

Outdated

Outdated packages provide functionality that is now supported by the language or runtime itself.