Study: 97% Of NodeJS Projects Depend On Package Containing npm Creator's Shopping List
May 7, 2017
CAMBRIDGE - In a press conference today, MIT researchers unveiled their discovery from an exhaustive analysis of the entire NodeJS package manager (npm) repository: nearly every package in existence has a direct or indirect dependency on "shopping-list", which is nothing more than a text file written by npm creator Isaac Schlueter listing things he needed to buy from the supermarket in mid-October of 2010. The month-long study found that approximately 462,000 of the nearly half-million available entries in the npm catalogue would call into existence a fresh copy of stufftobuy.txt upon executing the "npm install" command.
Documents released by the research team indicate that the shopping-list package was likely an accidental addition by Schlueter to the npm repository in its infancy. A careless package.json incorporation by an unknown adjunct repository package was all that was needed for shopping-list to mushroom into one of the most installed packages on the site. One researcher remarked that this outcome was unsurprising, since "nobody knows what the hell is inside their node_modules directory anyway, everyone just installs a ton of crap without consideration of its composition".
When questioned by reporters, the research team indicated it was highly skeptical of the necessity of a simple text file containing strings like "granola bars", "bananas", and "toilet paper", but since the file was not even 1 kilobyte in size, it was probably prudent to just leave it be. The team made it clear that, although it was out of the purview of their study, it would be computationally feasible - though expensive - to conclusively determine if any packages in the repository actually required the presence of strings like "band aids" and "shaving cream" inside stufftobuy.txt to operate properly.