Screening NPM Packages: Best Practices
While searching for a third-party NPM package you will find many alternative packages which provide similar functionality. But, making the right choice is an important & not that easy task. Also, checking the package license before using it is one of the important thing.
So, we have divided this article in two parts. In this first part of the article we will discuss a few best practices that we can follow while choosing a third-party NPM package. And in the Screening NPM Packages: Package Licensing article we’ll deep dive into the package licensing part.
Here are some of the best practises that we can follow while choosing a NPM package —
Package License
Checking the license type of the package is the most important thing. It gives you the details about terms and conditions on the package use.
If you have already installed the package then you can use a license-checker to check the NPM package license & make sure your installed packages are legal to use.
We will discuss this in detail in the “Screening NPM Packages: Package Licensing” article.
Maintenance
It is a good indication that a package is active & has fewer issues, if it is updated frequently & has many releases. You can check the number of releases on the GitHub repository.
You can also check GitHub insights to find community support for the NPM package. Below are some insights which you can take into consideration.
You can easily find “Used by” and “Contributors” counts on the repository page. More the number of users & contributors implies that the package is popular & trustworthy.
The Contributors tab gives you the insights of the developer community. Here you can find the statistical representation of the contributors. If there are frequent contributions then the package is maintained by a good developer community.
Contribution & Download Frequency
You can check the number of weekly downloads and statistical graphs on the NPM package home page. More the number of downloads, you can trust the package.
You can use npmtrends.com to compare downloads/issues/GitHub stars for the package & also different packages too. You simply need to search the package & it’ll show the statistics. Also it shows the other alternatives. You can select & compare them.
You can also check stars, forks, commit frequency, and contributors count in the GitHub repository. From these counts you will get an idea about the popularity and the community contribution around a library.
Bundle Size
The package size rises with the amount of it’s code & dependencies it uses. The large package size in turn affects the performance & size of the application.
So, in order to avoid this you can check the bundle size before installing a package using a tool like bundlephobia.
Security Vulnerabilities
Package security is another important aspect of choosing an NPM package. You can check the security policies of an NPM package from the “Security” tab of its GitHub repository.
If there are active security policies defined, that means the developers have taken initial steps to ensure the security of their packages.
If you have already installed NPM packages without taking security into account, you can use npm audit command to do a security check.
npm audit — fix command can help you to fix the vulnerabilities to some extent.
Also, you can analyse package dependencies to check for security vulnerabilities.
Conclusion
In this article we discussed some best practices that we can follow while choosing the NPM packages.
To learn more about Open Source Licenses & copywrite notices you can refer to- Screening NPM Packages: Package Licensing
Reference