I Built a CLI That Shows the Real Cost of Your node_modules (Size + Security + Age)

The CanisterWorm Wake-Up Call In March 2026, the CanisterWorm malware spread through compromised npm packages — and it exposed how blind most developers are to what is actually sitting in their node_modules. Not just what packages are installed. But: How big is each one? Does it have known vulnerabilities? When was it last maintained? That last one matters more than people think. A package that has not been touched in 2,000 days is not necessarily broken — but it is a higher-risk surface for supply chain attacks. Attackers look for abandoned packages with high download counts and weak maintainer security. I wanted to see all three columns at once. I could not find a tool that did it. So I built one. What node-weight shows npx node-weight That is it. Zero install. Run it in any Node.js project directory and you get a table: ┌─────────────────────────┬──────────┬──────────┬───────────────┐ │ Package │ Size │ Security │ Last Updated │ ├─────────────────────────┼──────────┼──────────┼─────