DEV Community

Arnaud Dagnelies
Arnaud Dagnelies

Posted on

Day 5-6: Who downloads my unfinished npm package?!

So, last Friday, I published my first npm package. Honestly, it was kind of unfinished ...heck, I didn't even try to see if it works properly!

But it does not matter, right? After all, nobody knows about this package. At least, nobody should know about it. I expected a 0 download rate for some time.

However, after some weekend time to spend some together with my family and have a break, I looked at this package again. Because of this 100DaysOfCode challenge, I thought "let's do a little bit today anyway", and what I saw surprised me greatly!

Image description

Who the heck is downloading my module?! I did not advertise it anywhere. Not a word, except my post two days ago that was seen by "< 25" people as they put it, probably a gentle way to describe it to not depress the writers when the view count is a single digit on the lower end.

So almost nobody should be aware of it. Even the docs are lacking, a starter example is missing ...I don't even know if it works as intended since this whole npm publishing is a little new to me. I just know for example that the minimized browser link was not available, and after trying it to fix today, noticed that the minimized removed too much stuff. ...but the mystery of who downloaded it and how they arrived there remains.

At least, now I know I should hurry up in the next days to make it functional. ;P

Edit:

26.09 weekly downloads: 134

Top comments (6)

Collapse
 
cicirello profile image
Vincent A. Cicirello

I suspect that there are scrapers that download all versions of all packages. For what reason, I don't know. I don't have anything on npm. But I do have Python packages on PyPI, and the same thing happens there. If you publish a new package there or a new version of an existing one, it will get a bunch of downloads right away. For an existing one, it might be explained by version upgrades. But this happens even if brand new package.

A few guesses as to why brand new packages are downloaded many times within a day are.... Possibly mirrors of the registry? Hackers looking for vulnerabilities to exploit?

Collapse
 
dagnelies profile image
Arnaud Dagnelies

Like you said, I also expect CDNs and automated infrastructures like vulnerability checking bots to play a role in it. I'm very curious to see if it will die down or not ;p

Collapse
 
cicirello profile image
Vincent A. Cicirello • Edited

Since you said it currently lacks functionality, then it will die down a bit after a couple days, but every time you publish a new version the downloads will go back up for a few days.

I guess you'll see the same pattern I see on PyPI. If you want to see an example, follow this link to see the download data for one of my packages on PyPI: pepy.tech/project/bibliometrics

This is relatively new and serves a rather niche purpose, so it is not likely to have many real users represented in the graph yet.

In the graph you'll notice a couple spikes. Those correspond to when I published new versions. Scroll down in the table below the graph to 9/7 and you'll see the first 2 days of most recent release had 54 and 58 downloads each, but then 3rd day only 18 and then less the 4th day.

If you scroll back to 8/26 and 8/1 you'll see a similar pattern for prior 2 releases. Not shown in chart anymore, the first release in early July or late June had same pattern when nobody but me knew about it.

The spike on 9/7 is steeper than all prior ones, and doesn't trail off quite as low as previously, so that might be a sign of some actual users. Or it might also just be an increase in coverage by mirrors, etc.

Collapse
 
jnv profile image
Jan Vlnas • Edited

Congrats on the first published package!

Those downloads are very unlikely to be real users, like Vincent suggests, those are likely mirrors precaching the packages. There's also a huge monitoring infrastructure around supply chain security, companies like Snyk monitor new and updated packages for possible malware, so that's probably the reason for those downloads. You will likely see the traffic dropping off in the coming days.

Collapse
 
dagnelies profile image
Arnaud Dagnelies

Thanks. Yeah, it's probably because of bots... Lots of bots apparently... Another thought I had was CDNs copying it. Who knows. I'm curious to see how it will evolve ^^

Collapse
 
renhiyama profile image
Ren Hiyama

They are npm mirror servers & esm cdn providers like esm.sh , jsdelivr and other services who are caching them. u can make sure by publishing a lot of versions, u are going to see more downloads ;)