undefined | Better HN

0 pointsashishb2mo ago0 comments

> You’re looking at the number of dependents. The React package has no dependencies.

Indeed.

My apologies for misinterpreting the link that I posted.

Consider "devDependencies" here

https://github.com/facebook/react/blob/main/package.json

As far as I know, these 100+ dev dependencies are installed by default. Yes, you can probably avoid it, but it will likely break something during the build process, and most people just stick to the default anyway.

> Reproducible builds, or don’t use those packages.

A lot of things are not reproducible/hermetic builds. Even GitHub Actions is not reproducible https://nesbitt.io/2025/12/06/github-actions-package-manager...

Most frontend frameworks are not reproducible either.

> don’t use those packages.

And do what?

0 comments

nicoburns2mo ago

> As far as I know, these 100+ dev dependencies are installed by default.

devDependencies should only be installed if you're developing the React library itself. They won't be installed if you just depend on React.

ashishbOP2mo ago

> They won't be installed if you just depend on React.

Please correct me if I am wrong, here's my understanding.

"npm install installs both dependencies and dev-dependencies unless NODE_ENV is set to production."

sponnath2mo ago

It does not recursively install dev-dependencies.

1 more reply

rafram2mo ago

Run `npm install react` and see how many packages it says it added. (One.)

remexre2mo ago

If you're trying to audit React, don't you either need to audit its build artifacts rather than its source, or audit those dev dependencies too?

timcobb2mo ago

> And do what?

Keep on keepin on

1 more reply

j / k navigate · click thread line to collapse

0 pointsashishb2mo ago0 comments

> You’re looking at the number of dependents. The React package has no dependencies.

Indeed.

My apologies for misinterpreting the link that I posted.

Consider "devDependencies" here

https://github.com/facebook/react/blob/main/package.json

> Reproducible builds, or don’t use those packages.

A lot of things are not reproducible/hermetic builds. Even GitHub Actions is not reproducible https://nesbitt.io/2025/12/06/github-actions-package-manager...

Most frontend frameworks are not reproducible either.

> don’t use those packages.

And do what?

0 comments

nicoburns2mo ago

> As far as I know, these 100+ dev dependencies are installed by default.

devDependencies should only be installed if you're developing the React library itself. They won't be installed if you just depend on React.

ashishbOP2mo ago

> They won't be installed if you just depend on React.

Please correct me if I am wrong, here's my understanding.

"npm install installs both dependencies and dev-dependencies unless NODE_ENV is set to production."

sponnath2mo ago

It does not recursively install dev-dependencies.

1 more reply

rafram2mo ago

Run `npm install react` and see how many packages it says it added. (One.)

remexre2mo ago

If you're trying to audit React, don't you either need to audit its build artifacts rather than its source, or audit those dev dependencies too?

timcobb2mo ago

> And do what?

Keep on keepin on

1 more reply

j / k navigate · click thread line to collapse