The hidden cost of every npm dependency
A new package solves a problem in five minutes and costs you a maintenance bill for the next five years.
Every npm install is a long-term commitment. The package that ships in five minutes will ask for security patches for years.
What you actually pay for
Security audit time. Bundle weight. The chance the maintainer drops the project. The chance a transitive dependency does something unexpected. Lock-file churn that adds noise to every PR.
For a package solving a 50-line problem, those costs are usually higher than just writing the 50 lines.
When we install anyway
Cryptography. Date-time math. Anything where being wrong has a security or correctness consequence. We don't roll our own auth, we don't parse our own JWTs, we don't reinvent locale handling.
Our rough check
Before installing, we ask: would I be comfortable copy-pasting this package's code into the repo and maintaining it myself? If the answer is "no, that's the whole point," that's the install. If the answer is "honestly, yes, it's like 80 lines," we write the 80 lines.
The 80 lines never have a CVE.