To quote an old adage, package size doesn't matter.
The actual issue has to do with trusting a package of any size over time. This is true regardless of whether the package implements 1 line of code or 1000.
The trustworthiness of a package is a function of several factors. Code that is not actively maintained can often become less trustworthy over time.
What we need is one or more 3rd party trust metrics, and our bundling/packaging utilities should allow us to use that third party data to determine what is right for our build.
Maybe some of us want strong crypto, maybe others of us want adherance to semver, maybe others want to upgrade only after a new version has had 10K downloads, maybe others only want to use packages with a composite "score" over 80.
On the continuum of code quality from late night hack to NASA, we all must draw a line in the sand that is right for a particular project. One size does not fit all.
It's a big mistake (as well as a profound example of bad reasoning) to blame micropackages. The size of the package has nothing to do with it. Any codebase with any number of dependencies faces some risk by trusting the maintainers or hosting of those dependencies to third parties, which is the problem we need to do a better job of solving.
Fewer packages? Who is to determine the optimal number of packages? Not sure how that benefits anyone. I hesitate to accuse you of trolling but your argument does not seem all that coherent.
That assumes a lot. My code may utilize one dependency that itself utilizes a few dozen useless ones. Whereas someone else may carefully choose 20 dependencies, none of which include any dependencies.
The issue is measuring the trustworthiness of a dependency, and recursively doing that operation throughout the dependency graph.
Simply focusing on the number of dependencies or the size of a dependency is silly.
The actual issue has to do with trusting a package of any size over time. This is true regardless of whether the package implements 1 line of code or 1000.
The trustworthiness of a package is a function of several factors. Code that is not actively maintained can often become less trustworthy over time.
What we need is one or more 3rd party trust metrics, and our bundling/packaging utilities should allow us to use that third party data to determine what is right for our build.
Maybe some of us want strong crypto, maybe others of us want adherance to semver, maybe others want to upgrade only after a new version has had 10K downloads, maybe others only want to use packages with a composite "score" over 80.
On the continuum of code quality from late night hack to NASA, we all must draw a line in the sand that is right for a particular project. One size does not fit all.
It's a big mistake (as well as a profound example of bad reasoning) to blame micropackages. The size of the package has nothing to do with it. Any codebase with any number of dependencies faces some risk by trusting the maintainers or hosting of those dependencies to third parties, which is the problem we need to do a better job of solving.