I Published a Dummy Pkg to NPM, and Here is What Happened

22 Apr 2024


I have published a dummy package to the npm registry called cli-pbar, let me explain why I did this and what happens next.


A few years ago, I published some packages to npm and tried their search to see if my packages were popping up in the results. I could find my packages somewhere around the 5th results page.

So, I thought there were packages that were more eligible than ours.

Later, sometimes, even after consistent package maintenance and applying the appropriate search keywords, it doesn't work either. Still, my packages are behind many pages.

Later, I found there are problems with the NPM search scores.

The following are my observations:

  • The inefficient quality score calculations.
    • Minified code pkgs scores are lowered.
    • The dependencies must be up-to-date, even if you don't need it.
    • The pkg must have a custom website to get a higher score.
    • Scores may be lower if your pkg is not in SemVer major release.
  • Not considering pkg provenance.
  • The unknown mechanism for code complexity measures.

The Dummy Package

Now I wanted to test the npm's Package search rank criteria.

As the npm's docs says:

Quality includes considerations such as the presence of a README file, stability, tests, up-to-date dependencies, custom website, and code complexity.

I created a dummy package named cli-pbar of our organization original package opentf/cli-pbar with all the following requirements:

  • ✅ README file
  • ✅ Stability - Released Major SemVer
  • ✅ Tests - Added dummy tests
  • ✅ Up-to-date Dependencies - Zero dependencies
  • ✅ Custom Website - Pointed to our Organization website
  • ✅ Code Complexity - Single index.js file with just a console.log()

The Result

Now, when I again tried with the same search keywords, the experiment got surprising results.

Guess what? 🎉 Now our dummy package is featured in the first page that is also within the top 10 packages.

https://www.npmjs.com/search?q=cli progress


This is just an experiment and no intention to spam the registry.

I had discussions with the npm team about this; they are aware of this and planning to remove the PQM score, and I hope they will fix it ASAP.


Other related discussions:



😂 Fun Fact: Someone cloned my pkg and published it under a different scope; that pkg features on top of my original package in the search results.

Let me know your comments please.

🙏 Thanks for reading.