Study: 97% Of NodeJS Projects Depend On Package Containing npm Creator's Shopping List

May 7, 2017

CAMBRIDGE - In a press conference today, MIT researchers unveiled their discovery from an exhaustive analysis of the entire NodeJS package manager (npm) repository: nearly every package in existence has a direct or indirect dependency on "shopping-list", which is nothing more than a text file written by npm creator Isaac Schlueter listing things he needed to buy from the supermarket in mid-October of 2010. The month-long study found that approximately 462,000 of the nearly half-million available entries in the npm catalogue would call into existence a fresh copy of stufftobuy.txt upon executing the "npm install" command.

Documents released by the research team indicate that the shopping-list package was likely an accidental addition by Schlueter to the npm repository in its infancy. A careless package.json incorporation by an unknown adjunct repository package was all that was needed for shopping-list to mushroom into one of the most installed packages on the site. One researcher remarked that this outcome was unsurprising, since "nobody knows what the hell is inside their node_modules directory anyway, everyone just installs a ton of crap without consideration of its composition".

When questioned by reporters, the research team indicated it was highly skeptical of the necessity of a simple text file containing strings like "granola bars", "bananas", and "toilet paper", but since the file was not even 1 kilobyte in size, it was probably prudent to just leave it be. The team made it clear that, although it was out of the purview of their study, it would be computationally feasible - though expensive - to conclusively determine if any packages in the repository actually required the presence of strings like "band aids" and "shaving cream" inside stufftobuy.txt to operate properly.

You might also enjoy:

LinkedIn Now Allows Recruiters To Send Recordings Of Unintelligible Noises And Pantomiming As Cold InMail Messages
Report: Interview Question "What happens when you visit a URL?" Phased Out After Answers Including NSA, GFW, Turkey Deemed Too Depressing
Rideshare Passengers Descend Into Awkward Silence After Driver Misses Glaringly Obvious Turn Six Blocks From Destination
Mozilla Announces Firefox "Shame Mode" For Engineers Wanting To Conceal Rudimentary Documentation On Their Screen
Bitcoin Core Contributor Realizes Side Project Inadvertently Establishes FDIC Clone