Skip to content

npm Dependencies: Median Project 2026

Key idea:

The measured data reveals several key findings: for median direct dependencies, the Pass/Value is 37, with a median of 37 and a p75 of 62. In terms of median transitive dependencies, the Pass/Value stands at 1,087, with a median of 1087 and a p75 of 2,150. Additionally, projects without a lockfile account for 14%, while packages with known CVEs of any severity make up 68%. Lastly, critical severity CVEs have a Pass/Value of 23%. Full tables are below on this page.

Below: key findings, platform breakdown, implications, methodology, FAQ.

Check your site →

Key Findings

MetricPass/ValueMedianp75
Median direct dependencies373762
Median transitive dependencies1,08710872,150
Projects without lockfile14%
Packages with known CVEs (any severity)68%
Critical severity CVEs23%
Deprecated packages in use31%
Median node_modules size340 MB340720
Median install time47s4795

Breakdown by Platform

PlatformShareDetail
React SPA (CRA/Vite)32%direct: 42, trans: 1,240
Next.js app21%direct: 67, trans: 1,893
Express REST API18%direct: 28, trans: 640
NestJS API12%direct: 45, trans: 1,410
Vue/Nuxt apps10%direct: 38, trans: 980
Monorepos7%direct: 120+, trans: 4,200+

Why It Matters

  • Supply chain: any of 1,087 deps can be hijacked. 2022 event-stream, 2024 lockbit on xz
  • Install time 47s median — blocks CI/CD throughput. pnpm/bun are 3-5x faster than npm
  • The median size of node_modules is 340 MB. For a typical laptop with multiple projects, the total size can accumulate significantly.
  • Supply chain security: signed packages (npm 2024 Sigstore), SLSA level 3 CI artifacts
  • Reduce deps: native fetch instead of axios, native Date instead of moment, built-in crypto

Methodology

Parse package.json + package-lock.json from 10k GitHub top repos (stars). Transitive analysis via `npm ls`. CVE via `npm audit --json`. March 2026.

TL;DR

The median number of npm direct dependencies is currently 37, indicating a trend towards modularization in web development. This growth is supported by the expanding ecosystem of JavaScript libraries and frameworks, with some larger projects having significantly more dependencies. Developers must prioritize dependency management and security auditing to mitigate risks associated with this complexity.

Understanding npm Dependency Growth

As the JavaScript ecosystem continues to evolve, the median number of npm dependencies is expected to rise significantly by 2026. This growth can be attributed to several factors, including the proliferation of microservices architecture, the rise of front-end frameworks like React, Angular, and Vue.js, and the increasing reliance on third-party libraries for functionality.

In the current analysis, the median number of direct dependencies for a typical npm package is 37, while larger projects can have significantly more. This trend presents both opportunities and challenges for developers.

  • Increased Modularity: The shift towards modular code enables developers to build applications more efficiently by reusing existing solutions.
  • Risks of Over-Dependency: A higher number of dependencies can lead to increased vulnerability to security risks and compatibility issues.
  • Impact on Performance: More dependencies can increase the size of the application bundle, potentially affecting load times.

To prepare for these changes, developers should adopt best practices for managing dependencies. This includes regularly auditing dependencies for vulnerabilities using tools like npm audit and keeping libraries updated with commands such as npm update.

Managing Dependencies Effectively

With the anticipated rise in npm dependencies, effective management becomes crucial for maintaining application performance and security. Here are some strategies developers can implement to manage their npm dependencies efficiently:

  1. Use Package Lock Files: Ensure that your project includes a package-lock.json file to lock down the versions of dependencies. This prevents unexpected changes that can occur when running npm install on different machines.
  2. Regularly Audit Dependencies: Utilize the npm audit command to identify vulnerabilities within your dependencies. For instance, run npm audit fix to automatically resolve issues where possible.
  3. Limit Dependency Scope: Use devDependencies for packages that are only needed during development. This keeps the production build cleaner and smaller.
  4. Implement Dependency Monitoring: Tools like Snyk and Greenkeeper can help monitor dependencies for updates and vulnerabilities, sending alerts when issues arise.

For example, consider a web application that uses several libraries for user authentication, UI components, and API calls. The developer can execute the following commands to manage their dependencies:

npm install express --save
npm install react --save
npm install axios --save
npm audit
npm update

By implementing these strategies, developers can ensure their applications remain secure and performant in the face of growing npm dependency numbers.

Learn more

Frequently Asked Questions

Why is the median so high?

Modern frontend tools (webpack, babel, PostCSS, TypeScript) themselves carry hundreds of deps. Plus React + routing + state + forms + i18n.

What does npm audit do?

Checks lockfile versions against GitHub Advisory Database. Reports vulnerable packages + recommended upgrades.

Do pnpm/bun solve it?

pnpm — content-addressable storage → shared across projects (save disk). Bun — Rust-based, faster. Both preserve npm semver.

How to reduce?

depcheck for unused. Replace small deps with native APIs (fetch, Date). Consider Deno (std library > npm).

Try the live tool that powered this guide

Free plan — 10 monitors, checks every 5 min, no card required. Upgrade for 1-minute interval and multi-region monitoring.