The measured data reveals several key findings: for median direct dependencies, the Pass/Value is 37, with a median of 37 and a p75 of 62. In terms of median transitive dependencies, the Pass/Value stands at 1,087, with a median of 1087 and a p75 of 2,150. Additionally, projects without a lockfile account for 14%, while packages with known CVEs of any severity make up 68%. Lastly, critical severity CVEs have a Pass/Value of 23%. Full tables are below on this page.
Below: key findings, platform breakdown, implications, methodology, FAQ.
Free online tool — HTTP header checker: instant results, no signup.
| Metric | Pass/Value | Median | p75 |
|---|---|---|---|
| Median direct dependencies | 37 | 37 | 62 |
| Median transitive dependencies | 1,087 | 1087 | 2,150 |
| Projects without lockfile | 14% | — | — |
| Packages with known CVEs (any severity) | 68% | — | — |
| Critical severity CVEs | 23% | — | — |
| Deprecated packages in use | 31% | — | — |
| Median node_modules size | 340 MB | 340 | 720 |
| Median install time | 47s | 47 | 95 |
| Platform | Share | Detail | — |
|---|---|---|---|
| React SPA (CRA/Vite) | 32% | direct: 42, trans: 1,240 | — |
| Next.js app | 21% | direct: 67, trans: 1,893 | — |
| Express REST API | 18% | direct: 28, trans: 640 | — |
| NestJS API | 12% | direct: 45, trans: 1,410 | — |
| Vue/Nuxt apps | 10% | direct: 38, trans: 980 | — |
| Monorepos | 7% | direct: 120+, trans: 4,200+ | — |
Parse package.json + package-lock.json from 10k GitHub top repos (stars). Transitive analysis via `npm ls`. CVE via `npm audit --json`. March 2026.
The median number of npm direct dependencies is currently 37, indicating a trend towards modularization in web development. This growth is supported by the expanding ecosystem of JavaScript libraries and frameworks, with some larger projects having significantly more dependencies. Developers must prioritize dependency management and security auditing to mitigate risks associated with this complexity.
As the JavaScript ecosystem continues to evolve, the median number of npm dependencies is expected to rise significantly by 2026. This growth can be attributed to several factors, including the proliferation of microservices architecture, the rise of front-end frameworks like React, Angular, and Vue.js, and the increasing reliance on third-party libraries for functionality.
In the current analysis, the median number of direct dependencies for a typical npm package is 37, while larger projects can have significantly more. This trend presents both opportunities and challenges for developers.
To prepare for these changes, developers should adopt best practices for managing dependencies. This includes regularly auditing dependencies for vulnerabilities using tools like npm audit and keeping libraries updated with commands such as npm update.
With the anticipated rise in npm dependencies, effective management becomes crucial for maintaining application performance and security. Here are some strategies developers can implement to manage their npm dependencies efficiently:
package-lock.json file to lock down the versions of dependencies. This prevents unexpected changes that can occur when running npm install on different machines.npm audit command to identify vulnerabilities within your dependencies. For instance, run npm audit fix to automatically resolve issues where possible.devDependencies for packages that are only needed during development. This keeps the production build cleaner and smaller.For example, consider a web application that uses several libraries for user authentication, UI components, and API calls. The developer can execute the following commands to manage their dependencies:
npm install express --save
npm install react --save
npm install axios --save
npm audit
npm updateBy implementing these strategies, developers can ensure their applications remain secure and performant in the face of growing npm dependency numbers.
Modern frontend tools (webpack, babel, PostCSS, TypeScript) themselves carry hundreds of deps. Plus React + routing + state + forms + i18n.
Checks lockfile versions against GitHub Advisory Database. Reports vulnerable packages + recommended upgrades.
pnpm — content-addressable storage → shared across projects (save disk). Bun — Rust-based, faster. Both preserve npm semver.
depcheck for unused. Replace small deps with native APIs (fetch, Date). Consider Deno (std library > npm).
Free plan — 10 monitors, checks every 5 min, no card required. Upgrade for 1-minute interval and multi-region monitoring.